@robelest/convex-auth 0.0.4-preview.25 → 0.0.4-preview.28
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +43 -36
- package/dist/bin.js +5765 -4880
- package/dist/browser/index.d.ts +30 -0
- package/dist/browser/index.js +93 -0
- package/dist/browser/locks.js +11 -0
- package/dist/browser/navigation.js +14 -0
- package/dist/{factors → browser}/passkey.js +23 -32
- package/dist/browser/runtime.js +92 -0
- package/dist/client/core/types.d.ts +452 -5
- package/dist/client/core/types.js +17 -0
- package/dist/client/errors.js +19 -0
- package/dist/client/factors/device.js +94 -0
- package/dist/{factors → client/factors}/totp.js +12 -4
- package/dist/client/index.d.ts +47 -1
- package/dist/client/index.js +269 -232
- package/dist/client/runtime/mutex.js +24 -0
- package/dist/client/runtime/proxy.js +30 -0
- package/dist/client/runtime/storage.js +45 -0
- package/dist/client/services/adapters.js +7 -0
- package/dist/client/services/http.js +6 -0
- package/dist/client/services/resolve.js +13 -0
- package/dist/client/services/runtime.js +6 -0
- package/dist/component/_generated/component.d.ts +1355 -1399
- package/dist/component/convex.config.d.ts +2 -2
- package/dist/component/index.d.ts +4 -26
- package/dist/component/index.js +1 -1
- package/dist/component/model.d.ts +26 -112
- package/dist/component/model.js +76 -54
- package/dist/component/modules.js +38 -0
- package/dist/component/public/factors/devices.js +1 -1
- package/dist/component/public/factors/passkeys.js +1 -1
- package/dist/component/public/factors/totp.js +1 -1
- package/dist/component/public/groups/core.js +2 -2
- package/dist/component/public/groups/invites.js +1 -1
- package/dist/component/public/groups/members.js +1 -1
- package/dist/component/public/identity/accounts.js +1 -1
- package/dist/component/public/identity/codes.js +1 -1
- package/dist/component/public/identity/sessions.js +39 -2
- package/dist/component/public/identity/tokens.js +82 -4
- package/dist/component/public/identity/users.js +1 -1
- package/dist/component/public/identity/verifiers.js +10 -4
- package/dist/component/public/security/keys.js +1 -1
- package/dist/component/public/security/limits.js +1 -1
- package/dist/component/public/{enterprise → sso}/audit.js +26 -26
- package/dist/component/public/sso/core.js +263 -0
- package/dist/component/public/sso/domains.js +280 -0
- package/dist/component/public/{enterprise → sso}/scim.js +87 -87
- package/dist/component/public/sso/secrets.js +125 -0
- package/dist/component/public/{enterprise → sso}/webhooks.js +59 -59
- package/dist/component/public.js +9 -9
- package/dist/component/schema.d.ts +472 -393
- package/dist/component/schema.js +36 -35
- package/dist/core/index.d.ts +380 -0
- package/dist/core/index.js +83 -0
- package/dist/otel.d.ts +69 -0
- package/dist/otel.js +82 -0
- package/dist/providers/anonymous.d.ts +15 -34
- package/dist/providers/anonymous.js +27 -35
- package/dist/providers/apple.d.ts +59 -0
- package/dist/providers/apple.js +58 -0
- package/dist/providers/credentials.d.ts +18 -34
- package/dist/providers/credentials.js +16 -27
- package/dist/providers/custom.d.ts +94 -0
- package/dist/providers/custom.js +119 -0
- package/dist/providers/device.d.ts +15 -49
- package/dist/providers/device.js +17 -34
- package/dist/providers/email.d.ts +21 -38
- package/dist/providers/email.js +36 -55
- package/dist/providers/github.d.ts +54 -0
- package/dist/providers/github.js +75 -0
- package/dist/providers/google.d.ts +54 -0
- package/dist/providers/google.js +61 -0
- package/dist/providers/index.d.ts +16 -12
- package/dist/providers/index.js +15 -11
- package/dist/providers/microsoft.d.ts +57 -0
- package/dist/providers/microsoft.js +101 -0
- package/dist/providers/passkey.d.ts +19 -35
- package/dist/providers/passkey.js +20 -30
- package/dist/providers/password.d.ts +17 -18
- package/dist/providers/password.js +121 -143
- package/dist/providers/phone.d.ts +13 -28
- package/dist/providers/phone.js +21 -46
- package/dist/providers/sso.d.ts +16 -36
- package/dist/providers/sso.js +21 -22
- package/dist/providers/totp.d.ts +13 -29
- package/dist/providers/totp.js +17 -27
- package/dist/server/auth-context.d.ts +204 -0
- package/dist/server/auth-context.js +76 -0
- package/dist/server/auth.d.ts +99 -244
- package/dist/server/auth.js +56 -152
- package/dist/server/componentContext.d.ts +12 -0
- package/dist/server/componentContext.js +1 -0
- package/dist/server/config.js +6 -67
- package/dist/server/constants.js +6 -0
- package/dist/server/contract.d.ts +105 -0
- package/dist/server/contract.js +43 -0
- package/dist/server/cookies.js +3 -2
- package/dist/server/core.js +31 -36
- package/dist/server/crypto.js +34 -44
- package/dist/server/db.js +6 -1
- package/dist/server/device.js +96 -130
- package/dist/server/env.js +48 -0
- package/dist/server/errors.js +20 -0
- package/dist/server/http.d.ts +15 -59
- package/dist/server/http.js +136 -120
- package/dist/server/identity.js +2 -2
- package/dist/server/index.d.ts +5 -4
- package/dist/server/index.js +3 -3
- package/dist/server/keys.js +10 -1
- package/dist/server/limits.js +26 -26
- package/dist/server/log.js +28 -0
- package/dist/server/mounts.d.ts +1107 -296
- package/dist/server/mounts.js +315 -196
- package/dist/server/mutations/account.js +11 -14
- package/dist/server/mutations/code.js +6 -5
- package/dist/server/mutations/invalidate.js +9 -11
- package/dist/server/mutations/oauth.js +112 -73
- package/dist/server/mutations/refresh.js +47 -97
- package/dist/server/mutations/register.js +37 -35
- package/dist/server/mutations/retrieve.js +16 -16
- package/dist/server/mutations/signature.js +15 -18
- package/dist/server/mutations/signin.js +10 -5
- package/dist/server/mutations/signout.js +11 -14
- package/dist/server/mutations/store.js +25 -18
- package/dist/server/mutations/verifier.js +11 -8
- package/dist/server/mutations/verify.js +53 -41
- package/dist/server/oauth/factory.js +44 -0
- package/dist/server/oauth/index.js +12 -0
- package/dist/server/oauth/runtime.js +248 -0
- package/dist/server/passkey.js +331 -365
- package/dist/server/payloads.d.ts +16 -0
- package/dist/server/payloads.js +30 -0
- package/dist/server/{ssr.d.ts → prefetch.d.ts} +2 -2
- package/dist/server/prefetch.js +635 -0
- package/dist/server/random.js +19 -0
- package/dist/server/redirects.js +10 -5
- package/dist/server/refresh.js +14 -86
- package/dist/server/runtime.d.ts +531 -31
- package/dist/server/runtime.js +106 -267
- package/dist/server/secret.js +44 -0
- package/dist/server/services/config.js +10 -0
- package/dist/server/services/group.js +211 -0
- package/dist/server/services/logger.js +8 -0
- package/dist/server/services/providers.js +22 -0
- package/dist/server/services/refresh.js +8 -0
- package/dist/server/services/resolve.js +27 -0
- package/dist/server/services/signin.js +8 -0
- package/dist/server/sessions.js +35 -34
- package/dist/server/signin.js +229 -140
- package/dist/server/{enterprise → sso}/config.js +10 -3
- package/dist/server/sso/domain.d.ts +614 -0
- package/dist/server/sso/domain.js +1175 -0
- package/dist/server/sso/http.js +1060 -0
- package/dist/server/sso/oidc.js +324 -0
- package/dist/server/sso/policies.js +59 -0
- package/dist/server/sso/policy.js +139 -0
- package/dist/server/sso/profile.js +22 -0
- package/dist/server/sso/provision.js +179 -0
- package/dist/{component/server/enterprise → server/sso}/saml.js +142 -56
- package/dist/{component/server/enterprise → server/sso}/scim.js +13 -7
- package/dist/server/sso/shared.js +74 -0
- package/dist/server/sso/validators.js +88 -0
- package/dist/server/sso/webhook.js +94 -0
- package/dist/server/tokens.js +16 -4
- package/dist/server/totp.js +155 -164
- package/dist/server/types.d.ts +306 -296
- package/dist/server/types.js +1 -30
- package/dist/server/url.js +32 -0
- package/dist/server/users.js +74 -40
- package/dist/server/utils/cache.js +51 -0
- package/dist/server/utils/dispatch.js +36 -0
- package/dist/server/utils/retry.js +24 -0
- package/dist/server/utils/span.js +32 -0
- package/dist/shared/errors.js +19 -0
- package/dist/shared/log.js +45 -0
- package/{src/test.ts → dist/test.d.ts} +21 -22
- package/dist/test.js +51 -0
- package/package.json +70 -42
- package/dist/authorization/index.d.ts.map +0 -1
- package/dist/authorization/index.js.map +0 -1
- package/dist/client/core/types.d.ts.map +0 -1
- package/dist/client/index.d.ts.map +0 -1
- package/dist/client/index.js.map +0 -1
- package/dist/component/_generated/api.d.ts +0 -75
- package/dist/component/_generated/api.d.ts.map +0 -1
- package/dist/component/_generated/api.js.map +0 -1
- package/dist/component/_generated/component.d.ts.map +0 -1
- package/dist/component/_generated/dataModel.d.ts +0 -42
- package/dist/component/_generated/dataModel.d.ts.map +0 -1
- package/dist/component/_generated/server.d.ts +0 -117
- package/dist/component/_generated/server.d.ts.map +0 -1
- package/dist/component/_generated/server.js.map +0 -1
- package/dist/component/_virtual/rolldown_runtime.js +0 -18
- package/dist/component/client/core/types.d.ts +0 -2
- package/dist/component/client/index.d.ts +0 -1
- package/dist/component/convex.config.d.ts.map +0 -1
- package/dist/component/convex.config.js.map +0 -1
- package/dist/component/functions.d.ts +0 -25
- package/dist/component/functions.d.ts.map +0 -1
- package/dist/component/functions.js.map +0 -1
- package/dist/component/index.d.ts.map +0 -1
- package/dist/component/model.d.ts.map +0 -1
- package/dist/component/model.js.map +0 -1
- package/dist/component/providers/anonymous.d.ts +0 -54
- package/dist/component/providers/anonymous.d.ts.map +0 -1
- package/dist/component/providers/credentials.d.ts +0 -38
- package/dist/component/providers/credentials.d.ts.map +0 -1
- package/dist/component/providers/device.d.ts +0 -67
- package/dist/component/providers/device.d.ts.map +0 -1
- package/dist/component/providers/email.d.ts +0 -62
- package/dist/component/providers/email.d.ts.map +0 -1
- package/dist/component/providers/oauth.d.ts +0 -25
- package/dist/component/providers/oauth.d.ts.map +0 -1
- package/dist/component/providers/oauth.js +0 -13
- package/dist/component/providers/oauth.js.map +0 -1
- package/dist/component/providers/passkey.d.ts +0 -57
- package/dist/component/providers/passkey.d.ts.map +0 -1
- package/dist/component/providers/password.d.ts +0 -88
- package/dist/component/providers/password.d.ts.map +0 -1
- package/dist/component/providers/phone.d.ts +0 -48
- package/dist/component/providers/phone.d.ts.map +0 -1
- package/dist/component/providers/sso.d.ts +0 -50
- package/dist/component/providers/sso.d.ts.map +0 -1
- package/dist/component/providers/totp.d.ts +0 -45
- package/dist/component/providers/totp.d.ts.map +0 -1
- package/dist/component/public/enterprise/audit.d.ts +0 -73
- package/dist/component/public/enterprise/audit.d.ts.map +0 -1
- package/dist/component/public/enterprise/audit.js.map +0 -1
- package/dist/component/public/enterprise/core.d.ts +0 -176
- package/dist/component/public/enterprise/core.d.ts.map +0 -1
- package/dist/component/public/enterprise/core.js +0 -292
- package/dist/component/public/enterprise/core.js.map +0 -1
- package/dist/component/public/enterprise/domains.d.ts +0 -174
- package/dist/component/public/enterprise/domains.d.ts.map +0 -1
- package/dist/component/public/enterprise/domains.js +0 -271
- package/dist/component/public/enterprise/domains.js.map +0 -1
- package/dist/component/public/enterprise/scim.d.ts +0 -245
- package/dist/component/public/enterprise/scim.d.ts.map +0 -1
- package/dist/component/public/enterprise/scim.js.map +0 -1
- package/dist/component/public/enterprise/secrets.d.ts +0 -78
- package/dist/component/public/enterprise/secrets.d.ts.map +0 -1
- package/dist/component/public/enterprise/secrets.js +0 -118
- package/dist/component/public/enterprise/secrets.js.map +0 -1
- package/dist/component/public/enterprise/webhooks.d.ts +0 -211
- package/dist/component/public/enterprise/webhooks.d.ts.map +0 -1
- package/dist/component/public/enterprise/webhooks.js.map +0 -1
- package/dist/component/public/factors/devices.d.ts +0 -157
- package/dist/component/public/factors/devices.d.ts.map +0 -1
- package/dist/component/public/factors/devices.js.map +0 -1
- package/dist/component/public/factors/passkeys.d.ts +0 -175
- package/dist/component/public/factors/passkeys.d.ts.map +0 -1
- package/dist/component/public/factors/passkeys.js.map +0 -1
- package/dist/component/public/factors/totp.d.ts +0 -189
- package/dist/component/public/factors/totp.d.ts.map +0 -1
- package/dist/component/public/factors/totp.js.map +0 -1
- package/dist/component/public/groups/core.d.ts +0 -137
- package/dist/component/public/groups/core.d.ts.map +0 -1
- package/dist/component/public/groups/core.js.map +0 -1
- package/dist/component/public/groups/invites.d.ts +0 -217
- package/dist/component/public/groups/invites.d.ts.map +0 -1
- package/dist/component/public/groups/invites.js.map +0 -1
- package/dist/component/public/groups/members.d.ts +0 -204
- package/dist/component/public/groups/members.d.ts.map +0 -1
- package/dist/component/public/groups/members.js.map +0 -1
- package/dist/component/public/identity/accounts.d.ts +0 -147
- package/dist/component/public/identity/accounts.d.ts.map +0 -1
- package/dist/component/public/identity/accounts.js.map +0 -1
- package/dist/component/public/identity/codes.d.ts +0 -104
- package/dist/component/public/identity/codes.d.ts.map +0 -1
- package/dist/component/public/identity/codes.js.map +0 -1
- package/dist/component/public/identity/sessions.d.ts +0 -128
- package/dist/component/public/identity/sessions.d.ts.map +0 -1
- package/dist/component/public/identity/sessions.js.map +0 -1
- package/dist/component/public/identity/tokens.d.ts +0 -169
- package/dist/component/public/identity/tokens.d.ts.map +0 -1
- package/dist/component/public/identity/tokens.js.map +0 -1
- package/dist/component/public/identity/users.d.ts +0 -212
- package/dist/component/public/identity/users.d.ts.map +0 -1
- package/dist/component/public/identity/users.js.map +0 -1
- package/dist/component/public/identity/verifiers.d.ts +0 -116
- package/dist/component/public/identity/verifiers.d.ts.map +0 -1
- package/dist/component/public/identity/verifiers.js.map +0 -1
- package/dist/component/public/security/keys.d.ts +0 -209
- package/dist/component/public/security/keys.d.ts.map +0 -1
- package/dist/component/public/security/keys.js.map +0 -1
- package/dist/component/public/security/limits.d.ts +0 -114
- package/dist/component/public/security/limits.d.ts.map +0 -1
- package/dist/component/public/security/limits.js.map +0 -1
- package/dist/component/public.d.ts +0 -28
- package/dist/component/public.d.ts.map +0 -1
- package/dist/component/schema.d.ts.map +0 -1
- package/dist/component/schema.js.map +0 -1
- package/dist/component/server/auth.d.ts +0 -447
- package/dist/component/server/auth.d.ts.map +0 -1
- package/dist/component/server/auth.js +0 -254
- package/dist/component/server/auth.js.map +0 -1
- package/dist/component/server/config.js +0 -121
- package/dist/component/server/config.js.map +0 -1
- package/dist/component/server/context.js +0 -53
- package/dist/component/server/context.js.map +0 -1
- package/dist/component/server/cookies.js +0 -47
- package/dist/component/server/cookies.js.map +0 -1
- package/dist/component/server/core.js +0 -576
- package/dist/component/server/core.js.map +0 -1
- package/dist/component/server/crypto.js +0 -56
- package/dist/component/server/crypto.js.map +0 -1
- package/dist/component/server/db.js +0 -87
- package/dist/component/server/db.js.map +0 -1
- package/dist/component/server/device.js +0 -152
- package/dist/component/server/device.js.map +0 -1
- package/dist/component/server/enterprise/config.js +0 -46
- package/dist/component/server/enterprise/config.js.map +0 -1
- package/dist/component/server/enterprise/domain.js +0 -974
- package/dist/component/server/enterprise/domain.js.map +0 -1
- package/dist/component/server/enterprise/http.js +0 -787
- package/dist/component/server/enterprise/http.js.map +0 -1
- package/dist/component/server/enterprise/oidc.js +0 -248
- package/dist/component/server/enterprise/oidc.js.map +0 -1
- package/dist/component/server/enterprise/policy.js +0 -85
- package/dist/component/server/enterprise/policy.js.map +0 -1
- package/dist/component/server/enterprise/saml.js.map +0 -1
- package/dist/component/server/enterprise/scim.js.map +0 -1
- package/dist/component/server/enterprise/shared.js +0 -51
- package/dist/component/server/enterprise/shared.js.map +0 -1
- package/dist/component/server/http.d.ts +0 -85
- package/dist/component/server/http.d.ts.map +0 -1
- package/dist/component/server/http.js +0 -351
- package/dist/component/server/http.js.map +0 -1
- package/dist/component/server/identity.js +0 -16
- package/dist/component/server/identity.js.map +0 -1
- package/dist/component/server/keys.js +0 -96
- package/dist/component/server/keys.js.map +0 -1
- package/dist/component/server/limits.js +0 -52
- package/dist/component/server/limits.js.map +0 -1
- package/dist/component/server/mutations/account.js +0 -46
- package/dist/component/server/mutations/account.js.map +0 -1
- package/dist/component/server/mutations/code.js +0 -68
- package/dist/component/server/mutations/code.js.map +0 -1
- package/dist/component/server/mutations/invalidate.js +0 -32
- package/dist/component/server/mutations/invalidate.js.map +0 -1
- package/dist/component/server/mutations/oauth.js +0 -116
- package/dist/component/server/mutations/oauth.js.map +0 -1
- package/dist/component/server/mutations/refresh.js +0 -119
- package/dist/component/server/mutations/refresh.js.map +0 -1
- package/dist/component/server/mutations/register.js +0 -87
- package/dist/component/server/mutations/register.js.map +0 -1
- package/dist/component/server/mutations/retrieve.js +0 -61
- package/dist/component/server/mutations/retrieve.js.map +0 -1
- package/dist/component/server/mutations/signature.js +0 -38
- package/dist/component/server/mutations/signature.js.map +0 -1
- package/dist/component/server/mutations/signin.js +0 -27
- package/dist/component/server/mutations/signin.js.map +0 -1
- package/dist/component/server/mutations/signout.js +0 -27
- package/dist/component/server/mutations/signout.js.map +0 -1
- package/dist/component/server/mutations/store/refs.js +0 -15
- package/dist/component/server/mutations/store/refs.js.map +0 -1
- package/dist/component/server/mutations/store.js +0 -70
- package/dist/component/server/mutations/store.js.map +0 -1
- package/dist/component/server/mutations/verifier.js +0 -18
- package/dist/component/server/mutations/verifier.js.map +0 -1
- package/dist/component/server/mutations/verify.js +0 -98
- package/dist/component/server/mutations/verify.js.map +0 -1
- package/dist/component/server/oauth.js +0 -242
- package/dist/component/server/oauth.js.map +0 -1
- package/dist/component/server/passkey.js +0 -415
- package/dist/component/server/passkey.js.map +0 -1
- package/dist/component/server/redirects.js +0 -40
- package/dist/component/server/redirects.js.map +0 -1
- package/dist/component/server/refresh.js +0 -99
- package/dist/component/server/refresh.js.map +0 -1
- package/dist/component/server/runtime.d.ts +0 -136
- package/dist/component/server/runtime.d.ts.map +0 -1
- package/dist/component/server/runtime.js +0 -456
- package/dist/component/server/runtime.js.map +0 -1
- package/dist/component/server/sessions.js +0 -71
- package/dist/component/server/sessions.js.map +0 -1
- package/dist/component/server/signin.js +0 -225
- package/dist/component/server/signin.js.map +0 -1
- package/dist/component/server/tokens.js +0 -17
- package/dist/component/server/tokens.js.map +0 -1
- package/dist/component/server/totp.js +0 -208
- package/dist/component/server/totp.js.map +0 -1
- package/dist/component/server/types.d.ts +0 -949
- package/dist/component/server/types.d.ts.map +0 -1
- package/dist/component/server/types.js +0 -79
- package/dist/component/server/types.js.map +0 -1
- package/dist/component/server/users.js +0 -123
- package/dist/component/server/users.js.map +0 -1
- package/dist/component/server/utils.js +0 -140
- package/dist/component/server/utils.js.map +0 -1
- package/dist/core/types.d.ts +0 -361
- package/dist/core/types.d.ts.map +0 -1
- package/dist/factors/device.js +0 -104
- package/dist/factors/device.js.map +0 -1
- package/dist/factors/passkey.js.map +0 -1
- package/dist/factors/totp.js.map +0 -1
- package/dist/providers/anonymous.d.ts.map +0 -1
- package/dist/providers/anonymous.js.map +0 -1
- package/dist/providers/credentials.d.ts.map +0 -1
- package/dist/providers/credentials.js.map +0 -1
- package/dist/providers/device.d.ts.map +0 -1
- package/dist/providers/device.js.map +0 -1
- package/dist/providers/email.d.ts.map +0 -1
- package/dist/providers/email.js.map +0 -1
- package/dist/providers/oauth.d.ts +0 -69
- package/dist/providers/oauth.d.ts.map +0 -1
- package/dist/providers/oauth.js +0 -43
- package/dist/providers/oauth.js.map +0 -1
- package/dist/providers/passkey.d.ts.map +0 -1
- package/dist/providers/passkey.js.map +0 -1
- package/dist/providers/password.d.ts.map +0 -1
- package/dist/providers/password.js.map +0 -1
- package/dist/providers/phone.d.ts.map +0 -1
- package/dist/providers/phone.js.map +0 -1
- package/dist/providers/sso.d.ts.map +0 -1
- package/dist/providers/sso.js.map +0 -1
- package/dist/providers/totp.d.ts.map +0 -1
- package/dist/providers/totp.js.map +0 -1
- package/dist/runtime/browser.js +0 -68
- package/dist/runtime/browser.js.map +0 -1
- package/dist/runtime/invite.js.map +0 -1
- package/dist/runtime/proxy.js +0 -70
- package/dist/runtime/proxy.js.map +0 -1
- package/dist/runtime/storage.js +0 -37
- package/dist/runtime/storage.js.map +0 -1
- package/dist/server/auth.d.ts.map +0 -1
- package/dist/server/auth.js.map +0 -1
- package/dist/server/config.d.ts +0 -1
- package/dist/server/config.js.map +0 -1
- package/dist/server/context.d.ts +0 -1
- package/dist/server/context.js.map +0 -1
- package/dist/server/cookies.d.ts +0 -1
- package/dist/server/cookies.js.map +0 -1
- package/dist/server/core.d.ts +0 -1315
- package/dist/server/core.d.ts.map +0 -1
- package/dist/server/core.js.map +0 -1
- package/dist/server/crypto.d.ts +0 -8
- package/dist/server/crypto.d.ts.map +0 -1
- package/dist/server/crypto.js.map +0 -1
- package/dist/server/db.d.ts +0 -1
- package/dist/server/db.js.map +0 -1
- package/dist/server/device.d.ts +0 -1
- package/dist/server/device.js.map +0 -1
- package/dist/server/enterprise/config.d.ts +0 -1
- package/dist/server/enterprise/config.js.map +0 -1
- package/dist/server/enterprise/domain.d.ts +0 -401
- package/dist/server/enterprise/domain.d.ts.map +0 -1
- package/dist/server/enterprise/domain.js +0 -974
- package/dist/server/enterprise/domain.js.map +0 -1
- package/dist/server/enterprise/http.d.ts +0 -26
- package/dist/server/enterprise/http.d.ts.map +0 -1
- package/dist/server/enterprise/http.js +0 -787
- package/dist/server/enterprise/http.js.map +0 -1
- package/dist/server/enterprise/oidc.d.ts +0 -1
- package/dist/server/enterprise/oidc.js +0 -248
- package/dist/server/enterprise/oidc.js.map +0 -1
- package/dist/server/enterprise/policy.d.ts +0 -1
- package/dist/server/enterprise/policy.js +0 -85
- package/dist/server/enterprise/policy.js.map +0 -1
- package/dist/server/enterprise/saml.d.ts +0 -1
- package/dist/server/enterprise/saml.js +0 -338
- package/dist/server/enterprise/saml.js.map +0 -1
- package/dist/server/enterprise/scim.d.ts +0 -1
- package/dist/server/enterprise/scim.js +0 -97
- package/dist/server/enterprise/scim.js.map +0 -1
- package/dist/server/enterprise/shared.d.ts +0 -5
- package/dist/server/enterprise/shared.d.ts.map +0 -1
- package/dist/server/enterprise/shared.js +0 -51
- package/dist/server/enterprise/shared.js.map +0 -1
- package/dist/server/enterprise/validators.d.ts +0 -1
- package/dist/server/enterprise/validators.js +0 -60
- package/dist/server/enterprise/validators.js.map +0 -1
- package/dist/server/http.d.ts.map +0 -1
- package/dist/server/http.js.map +0 -1
- package/dist/server/identity.d.ts +0 -1
- package/dist/server/identity.js.map +0 -1
- package/dist/server/keys.d.ts +0 -1
- package/dist/server/keys.js.map +0 -1
- package/dist/server/limits.d.ts +0 -1
- package/dist/server/limits.js.map +0 -1
- package/dist/server/mounts.d.ts.map +0 -1
- package/dist/server/mounts.js.map +0 -1
- package/dist/server/mutations/account.d.ts +0 -29
- package/dist/server/mutations/account.d.ts.map +0 -1
- package/dist/server/mutations/account.js.map +0 -1
- package/dist/server/mutations/code.d.ts +0 -30
- package/dist/server/mutations/code.d.ts.map +0 -1
- package/dist/server/mutations/code.js.map +0 -1
- package/dist/server/mutations/index.d.ts +0 -14
- package/dist/server/mutations/invalidate.d.ts +0 -20
- package/dist/server/mutations/invalidate.d.ts.map +0 -1
- package/dist/server/mutations/invalidate.js.map +0 -1
- package/dist/server/mutations/oauth.d.ts +0 -30
- package/dist/server/mutations/oauth.d.ts.map +0 -1
- package/dist/server/mutations/oauth.js.map +0 -1
- package/dist/server/mutations/refresh.d.ts +0 -21
- package/dist/server/mutations/refresh.d.ts.map +0 -1
- package/dist/server/mutations/refresh.js.map +0 -1
- package/dist/server/mutations/register.d.ts +0 -38
- package/dist/server/mutations/register.d.ts.map +0 -1
- package/dist/server/mutations/register.js.map +0 -1
- package/dist/server/mutations/retrieve.d.ts +0 -33
- package/dist/server/mutations/retrieve.d.ts.map +0 -1
- package/dist/server/mutations/retrieve.js.map +0 -1
- package/dist/server/mutations/signature.d.ts +0 -21
- package/dist/server/mutations/signature.d.ts.map +0 -1
- package/dist/server/mutations/signature.js.map +0 -1
- package/dist/server/mutations/signin.d.ts +0 -22
- package/dist/server/mutations/signin.d.ts.map +0 -1
- package/dist/server/mutations/signin.js.map +0 -1
- package/dist/server/mutations/signout.d.ts +0 -16
- package/dist/server/mutations/signout.d.ts.map +0 -1
- package/dist/server/mutations/signout.js.map +0 -1
- package/dist/server/mutations/store/refs.d.ts +0 -12
- package/dist/server/mutations/store/refs.d.ts.map +0 -1
- package/dist/server/mutations/store/refs.js.map +0 -1
- package/dist/server/mutations/store.d.ts +0 -306
- package/dist/server/mutations/store.d.ts.map +0 -1
- package/dist/server/mutations/store.js.map +0 -1
- package/dist/server/mutations/verifier.d.ts +0 -13
- package/dist/server/mutations/verifier.d.ts.map +0 -1
- package/dist/server/mutations/verifier.js.map +0 -1
- package/dist/server/mutations/verify.d.ts +0 -26
- package/dist/server/mutations/verify.d.ts.map +0 -1
- package/dist/server/mutations/verify.js.map +0 -1
- package/dist/server/oauth.d.ts +0 -1
- package/dist/server/oauth.js +0 -242
- package/dist/server/oauth.js.map +0 -1
- package/dist/server/passkey.d.ts +0 -27
- package/dist/server/passkey.d.ts.map +0 -1
- package/dist/server/passkey.js.map +0 -1
- package/dist/server/redirects.d.ts +0 -1
- package/dist/server/redirects.js.map +0 -1
- package/dist/server/refresh.d.ts +0 -1
- package/dist/server/refresh.js.map +0 -1
- package/dist/server/runtime.d.ts.map +0 -1
- package/dist/server/runtime.js.map +0 -1
- package/dist/server/sessions.d.ts +0 -1
- package/dist/server/sessions.js.map +0 -1
- package/dist/server/signin.d.ts +0 -1
- package/dist/server/signin.js.map +0 -1
- package/dist/server/ssr.d.ts.map +0 -1
- package/dist/server/ssr.js +0 -777
- package/dist/server/ssr.js.map +0 -1
- package/dist/server/templates.d.ts +0 -1
- package/dist/server/templates.js.map +0 -1
- package/dist/server/tokens.d.ts +0 -1
- package/dist/server/tokens.js.map +0 -1
- package/dist/server/totp.d.ts +0 -1
- package/dist/server/totp.js.map +0 -1
- package/dist/server/types.d.ts.map +0 -1
- package/dist/server/types.js.map +0 -1
- package/dist/server/users.d.ts +0 -1
- package/dist/server/users.js.map +0 -1
- package/dist/server/utils.d.ts +0 -1
- package/dist/server/utils.js +0 -140
- package/dist/server/utils.js.map +0 -1
- package/src/authorization/index.ts +0 -83
- package/src/cli/bin.ts +0 -5
- package/src/cli/command.ts +0 -70
- package/src/cli/index.ts +0 -1112
- package/src/cli/keys.ts +0 -23
- package/src/client/core/types.ts +0 -437
- package/src/client/factors/device.ts +0 -158
- package/src/client/factors/passkey.ts +0 -279
- package/src/client/factors/totp.ts +0 -150
- package/src/client/index.ts +0 -1124
- package/src/client/runtime/browser.ts +0 -112
- package/src/client/runtime/invite.ts +0 -63
- package/src/client/runtime/proxy.ts +0 -111
- package/src/client/runtime/storage.ts +0 -79
- package/src/component/_generated/api.ts +0 -96
- package/src/component/_generated/component.ts +0 -3774
- package/src/component/_generated/dataModel.ts +0 -60
- package/src/component/_generated/server.ts +0 -156
- package/src/component/convex.config.ts +0 -5
- package/src/component/functions.ts +0 -104
- package/src/component/index.ts +0 -42
- package/src/component/model.ts +0 -449
- package/src/component/public/enterprise/audit.ts +0 -125
- package/src/component/public/enterprise/core.ts +0 -355
- package/src/component/public/enterprise/domains.ts +0 -327
- package/src/component/public/enterprise/scim.ts +0 -397
- package/src/component/public/enterprise/secrets.ts +0 -133
- package/src/component/public/enterprise/webhooks.ts +0 -307
- package/src/component/public/factors/devices.ts +0 -224
- package/src/component/public/factors/passkeys.ts +0 -243
- package/src/component/public/factors/totp.ts +0 -259
- package/src/component/public/groups/core.ts +0 -481
- package/src/component/public/groups/invites.ts +0 -608
- package/src/component/public/groups/members.ts +0 -410
- package/src/component/public/identity/accounts.ts +0 -207
- package/src/component/public/identity/codes.ts +0 -149
- package/src/component/public/identity/sessions.ts +0 -210
- package/src/component/public/identity/tokens.ts +0 -251
- package/src/component/public/identity/users.ts +0 -355
- package/src/component/public/identity/verifiers.ts +0 -158
- package/src/component/public/security/keys.ts +0 -366
- package/src/component/public/security/limits.ts +0 -174
- package/src/component/public.ts +0 -27
- package/src/component/schema.ts +0 -505
- package/src/providers/anonymous.ts +0 -99
- package/src/providers/credentials.ts +0 -102
- package/src/providers/device.ts +0 -87
- package/src/providers/email.ts +0 -99
- package/src/providers/index.ts +0 -31
- package/src/providers/oauth.ts +0 -117
- package/src/providers/passkey.ts +0 -77
- package/src/providers/password.ts +0 -441
- package/src/providers/phone.ts +0 -93
- package/src/providers/sso.ts +0 -54
- package/src/providers/totp.ts +0 -62
- package/src/samlify.d.ts +0 -53
- package/src/server/auth.ts +0 -949
- package/src/server/config.ts +0 -200
- package/src/server/context.ts +0 -90
- package/src/server/cookies.ts +0 -49
- package/src/server/core.ts +0 -2004
- package/src/server/crypto.ts +0 -90
- package/src/server/db.ts +0 -203
- package/src/server/device.ts +0 -254
- package/src/server/enterprise/config.ts +0 -51
- package/src/server/enterprise/domain.ts +0 -1739
- package/src/server/enterprise/http.ts +0 -1331
- package/src/server/enterprise/oidc.ts +0 -500
- package/src/server/enterprise/policy.ts +0 -128
- package/src/server/enterprise/saml.ts +0 -578
- package/src/server/enterprise/scim.ts +0 -135
- package/src/server/enterprise/shared.ts +0 -134
- package/src/server/enterprise/validators.ts +0 -93
- package/src/server/http.ts +0 -790
- package/src/server/identity.ts +0 -18
- package/src/server/index.ts +0 -40
- package/src/server/keys.ts +0 -158
- package/src/server/limits.ts +0 -107
- package/src/server/mounts.ts +0 -924
- package/src/server/mutations/account.ts +0 -62
- package/src/server/mutations/code.ts +0 -119
- package/src/server/mutations/index.ts +0 -13
- package/src/server/mutations/invalidate.ts +0 -50
- package/src/server/mutations/oauth.ts +0 -243
- package/src/server/mutations/refresh.ts +0 -299
- package/src/server/mutations/register.ts +0 -155
- package/src/server/mutations/retrieve.ts +0 -109
- package/src/server/mutations/signature.ts +0 -57
- package/src/server/mutations/signin.ts +0 -54
- package/src/server/mutations/signout.ts +0 -43
- package/src/server/mutations/store/refs.ts +0 -10
- package/src/server/mutations/store.ts +0 -123
- package/src/server/mutations/verifier.ts +0 -34
- package/src/server/mutations/verify.ts +0 -200
- package/src/server/oauth.ts +0 -418
- package/src/server/passkey.ts +0 -838
- package/src/server/redirects.ts +0 -59
- package/src/server/refresh.ts +0 -218
- package/src/server/runtime.ts +0 -918
- package/src/server/sessions.ts +0 -132
- package/src/server/signin.ts +0 -445
- package/src/server/ssr.ts +0 -1747
- package/src/server/templates.ts +0 -82
- package/src/server/tokens.ts +0 -35
- package/src/server/totp.ts +0 -399
- package/src/server/types.ts +0 -1942
- package/src/server/users.ts +0 -291
- package/src/server/utils.ts +0 -220
- /package/dist/{runtime → client/runtime}/invite.js +0 -0
|
@@ -1,254 +0,0 @@
|
|
|
1
|
-
import { createUnauthenticatedAuthContext, getAuthContext } from "./context.js";
|
|
2
|
-
import { Auth } from "./runtime.js";
|
|
3
|
-
import { Cv } from "@robelest/fx/convex";
|
|
4
|
-
|
|
5
|
-
//#region src/server/auth.ts
|
|
6
|
-
/**
|
|
7
|
-
* Auth configuration helpers for Convex Auth.
|
|
8
|
-
*
|
|
9
|
-
* @module
|
|
10
|
-
*/
|
|
11
|
-
/**
|
|
12
|
-
* Create an auth API object.
|
|
13
|
-
*
|
|
14
|
-
* When `new SSO()` is included in providers, `auth.sso` and `auth.scim`
|
|
15
|
-
* are available on the returned object. Without it, those namespaces are
|
|
16
|
-
* absent and accessing them is a TypeScript compile error.
|
|
17
|
-
*
|
|
18
|
-
* @param component - The installed auth component reference from
|
|
19
|
-
* `components.auth` in your Convex app definition.
|
|
20
|
-
* @param config - Auth configuration including `providers` and optional
|
|
21
|
-
* `authorization`. All fields from {@link AuthConfig} are accepted
|
|
22
|
-
* except `component` (passed as the first argument).
|
|
23
|
-
* @returns A {@link ConvexAuthResult} object — either {@link AuthApi}
|
|
24
|
-
* (with `sso`/`scim`) or {@link AuthApiBase}, depending on whether
|
|
25
|
-
* an SSO provider is present.
|
|
26
|
-
*
|
|
27
|
-
* @example
|
|
28
|
-
* ```ts
|
|
29
|
-
* export const auth = createAuth(components.auth, {
|
|
30
|
-
* providers: [password(), google()],
|
|
31
|
-
* authorization: { roles },
|
|
32
|
-
* });
|
|
33
|
-
* ```
|
|
34
|
-
*
|
|
35
|
-
* @see {@link AuthContextConfig}
|
|
36
|
-
*/
|
|
37
|
-
async function resolveConfiguredAuthContext(auth, ctx, config) {
|
|
38
|
-
const fallback = () => getAuthContext(auth, ctx);
|
|
39
|
-
const authOverride = config?.authResolve ? await config.authResolve(ctx, fallback) : void 0;
|
|
40
|
-
return authOverride === void 0 ? await fallback() : authOverride;
|
|
41
|
-
}
|
|
42
|
-
function createNotSignedInError() {
|
|
43
|
-
return Cv.error({
|
|
44
|
-
code: "NOT_SIGNED_IN",
|
|
45
|
-
message: "Authentication required."
|
|
46
|
-
});
|
|
47
|
-
}
|
|
48
|
-
async function createPublicAuthContext(auth, ctx, config) {
|
|
49
|
-
const resolved = await resolveConfiguredAuthContext(auth, ctx, config);
|
|
50
|
-
if (resolved === null) {
|
|
51
|
-
if (config?.optional !== true) throw createNotSignedInError();
|
|
52
|
-
return createUnauthenticatedAuthContext();
|
|
53
|
-
}
|
|
54
|
-
const extra = config?.resolve ? await config.resolve(ctx, resolved.user, resolved) : {};
|
|
55
|
-
return {
|
|
56
|
-
...resolved,
|
|
57
|
-
...extra
|
|
58
|
-
};
|
|
59
|
-
}
|
|
60
|
-
function createAuth(component, config) {
|
|
61
|
-
const authResult = Auth({
|
|
62
|
-
...config,
|
|
63
|
-
component,
|
|
64
|
-
providers: [...config.providers]
|
|
65
|
-
});
|
|
66
|
-
const { domain: domainApi, scim: scimApi, connection: connectionApi, audit: auditApi, webhook: webhookApi, oidc: oidcApi, saml: samlApi, ...restSso } = authResult.auth.sso;
|
|
67
|
-
const setEnterpriseDomains = async (ctx, enterpriseId, domains) => {
|
|
68
|
-
const enterprise = await connectionApi.get(ctx, enterpriseId);
|
|
69
|
-
if (enterprise === null) throw Cv.error({
|
|
70
|
-
code: "INVALID_PARAMETERS",
|
|
71
|
-
message: "Enterprise not found."
|
|
72
|
-
});
|
|
73
|
-
const normalized = domains.map((entry) => ({
|
|
74
|
-
...entry,
|
|
75
|
-
domain: entry.domain.trim().toLowerCase()
|
|
76
|
-
}));
|
|
77
|
-
const deduped = /* @__PURE__ */ new Map();
|
|
78
|
-
for (const entry of normalized) {
|
|
79
|
-
if (entry.domain.length === 0) throw Cv.error({
|
|
80
|
-
code: "INVALID_PARAMETERS",
|
|
81
|
-
message: "Domain must not be empty."
|
|
82
|
-
});
|
|
83
|
-
if (deduped.has(entry.domain)) throw Cv.error({
|
|
84
|
-
code: "INVALID_PARAMETERS",
|
|
85
|
-
message: `Duplicate domain: ${entry.domain}`
|
|
86
|
-
});
|
|
87
|
-
deduped.set(entry.domain, entry);
|
|
88
|
-
}
|
|
89
|
-
const nextDomains = [...deduped.values()];
|
|
90
|
-
const primaryCount = nextDomains.filter((entry) => entry.isPrimary).length;
|
|
91
|
-
if (primaryCount > 1) throw Cv.error({
|
|
92
|
-
code: "INVALID_PARAMETERS",
|
|
93
|
-
message: "Only one primary domain may be set."
|
|
94
|
-
});
|
|
95
|
-
if (nextDomains.length > 0 && primaryCount === 0) nextDomains[0] = {
|
|
96
|
-
...nextDomains[0],
|
|
97
|
-
isPrimary: true
|
|
98
|
-
};
|
|
99
|
-
const currentDomains = await domainApi.list(ctx, enterpriseId);
|
|
100
|
-
const currentByDomain = new Map(currentDomains.map((entry) => [entry.domain.toLowerCase(), entry]));
|
|
101
|
-
for (const existing of currentDomains) if (!deduped.has(existing.domain.toLowerCase())) await domainApi.remove(ctx, existing._id);
|
|
102
|
-
for (const nextDomain of nextDomains) {
|
|
103
|
-
const current = currentByDomain.get(nextDomain.domain);
|
|
104
|
-
if (current && current.isPrimary === Boolean(nextDomain.isPrimary)) continue;
|
|
105
|
-
if (current) await domainApi.remove(ctx, current._id);
|
|
106
|
-
const domainId = await domainApi.add(ctx, {
|
|
107
|
-
enterpriseId: enterprise._id,
|
|
108
|
-
groupId: enterprise.groupId,
|
|
109
|
-
domain: nextDomain.domain,
|
|
110
|
-
isPrimary: nextDomain.isPrimary
|
|
111
|
-
});
|
|
112
|
-
if (current?.verifiedAt !== void 0) await ctx.runMutation(component.public.enterpriseDomainVerify, {
|
|
113
|
-
domainId,
|
|
114
|
-
verifiedAt: current.verifiedAt
|
|
115
|
-
});
|
|
116
|
-
}
|
|
117
|
-
return {
|
|
118
|
-
enterpriseId,
|
|
119
|
-
domains: (await domainApi.list(ctx, enterpriseId)).map((domain) => ({
|
|
120
|
-
domainId: domain._id,
|
|
121
|
-
domain: domain.domain,
|
|
122
|
-
isPrimary: domain.isPrimary,
|
|
123
|
-
verified: domain.verifiedAt !== void 0,
|
|
124
|
-
verifiedAt: domain.verifiedAt ?? null
|
|
125
|
-
}))
|
|
126
|
-
};
|
|
127
|
-
};
|
|
128
|
-
const publicSso = {
|
|
129
|
-
admin: {
|
|
130
|
-
...restSso,
|
|
131
|
-
oidc: { ...oidcApi },
|
|
132
|
-
saml: { ...samlApi },
|
|
133
|
-
connection: {
|
|
134
|
-
...connectionApi,
|
|
135
|
-
domain: {
|
|
136
|
-
list: domainApi.list,
|
|
137
|
-
validate: domainApi.validate,
|
|
138
|
-
set: setEnterpriseDomains,
|
|
139
|
-
verification: {
|
|
140
|
-
request: domainApi.verification.request,
|
|
141
|
-
confirm: domainApi.verification.confirm
|
|
142
|
-
}
|
|
143
|
-
}
|
|
144
|
-
},
|
|
145
|
-
policy: restSso.policy,
|
|
146
|
-
audit: { list: auditApi.list },
|
|
147
|
-
webhook: {
|
|
148
|
-
endpoint: webhookApi.endpoint,
|
|
149
|
-
delivery: { list: webhookApi.delivery.list }
|
|
150
|
-
}
|
|
151
|
-
},
|
|
152
|
-
client: {
|
|
153
|
-
signIn: oidcApi.signIn,
|
|
154
|
-
metadata: samlApi.metadata
|
|
155
|
-
}
|
|
156
|
-
};
|
|
157
|
-
return {
|
|
158
|
-
signIn: authResult.signIn,
|
|
159
|
-
signOut: authResult.signOut,
|
|
160
|
-
store: authResult.store,
|
|
161
|
-
user: authResult.auth.user,
|
|
162
|
-
session: authResult.auth.session,
|
|
163
|
-
provider: authResult.auth.provider,
|
|
164
|
-
account: authResult.auth.account,
|
|
165
|
-
group: authResult.auth.group,
|
|
166
|
-
member: authResult.auth.member,
|
|
167
|
-
invite: authResult.auth.invite,
|
|
168
|
-
key: authResult.auth.key,
|
|
169
|
-
sso: publicSso,
|
|
170
|
-
scim: { admin: {
|
|
171
|
-
configure: scimApi.configure,
|
|
172
|
-
get: scimApi.get,
|
|
173
|
-
validate: scimApi.validate
|
|
174
|
-
} },
|
|
175
|
-
http: authResult.auth.http,
|
|
176
|
-
context: ((ctx, config$1) => createPublicAuthContext(authResult.auth, ctx, config$1)),
|
|
177
|
-
ctx: ((config$1) => createAuthContextCustomization(authResult.auth, config$1))
|
|
178
|
-
};
|
|
179
|
-
}
|
|
180
|
-
/**
|
|
181
|
-
* Create a context enrichment for `customQuery` / `customMutation` — optional auth.
|
|
182
|
-
*
|
|
183
|
-
* When `optional: true` is set, unauthenticated requests are allowed.
|
|
184
|
-
* The enriched `ctx.auth` will have `userId: null`, `user: null`,
|
|
185
|
-
* `groupId: null`, `role: null`, and `grants: []` for unauthenticated callers.
|
|
186
|
-
*
|
|
187
|
-
* @param config - Configuration with `optional: true` and an optional
|
|
188
|
-
* `resolve` callback for attaching extra fields to the auth context.
|
|
189
|
-
* @returns An object with `args` and `input` compatible with Convex
|
|
190
|
-
* custom function builders.
|
|
191
|
-
*
|
|
192
|
-
* @example
|
|
193
|
-
* ```ts
|
|
194
|
-
* const authCtx = auth.ctx({
|
|
195
|
-
* optional: true,
|
|
196
|
-
* resolve: async (_ctx, user) => ({ plan: user.extend?.plan ?? null }),
|
|
197
|
-
* });
|
|
198
|
-
* ```
|
|
199
|
-
*
|
|
200
|
-
* @see {@link createAuth}
|
|
201
|
-
*/
|
|
202
|
-
/**
|
|
203
|
-
* Create a context enrichment for `customQuery` / `customMutation` — required auth (default).
|
|
204
|
-
*
|
|
205
|
-
* When `optional` is omitted or `false`, unauthenticated requests throw a
|
|
206
|
-
* structured `ConvexError` before your handler runs.
|
|
207
|
-
*
|
|
208
|
-
* @param config - Optional configuration with a `resolve` callback
|
|
209
|
-
* for attaching extra fields to the auth context.
|
|
210
|
-
* @returns An object with `args` and `input` compatible with Convex
|
|
211
|
-
* custom function builders.
|
|
212
|
-
*
|
|
213
|
-
* @example
|
|
214
|
-
* ```ts
|
|
215
|
-
* const authCtx = auth.ctx({
|
|
216
|
-
* resolve: async (_ctx, user) => ({ email: user.email }),
|
|
217
|
-
* });
|
|
218
|
-
* ```
|
|
219
|
-
*
|
|
220
|
-
* @see {@link createAuth}
|
|
221
|
-
*/
|
|
222
|
-
function createAuthContextCustomization(auth, config) {
|
|
223
|
-
return {
|
|
224
|
-
args: {},
|
|
225
|
-
input: async (ctx, _args, _extra) => {
|
|
226
|
-
const nativeAuth = ctx.auth;
|
|
227
|
-
const getUserIdentity = nativeAuth.getUserIdentity.bind(nativeAuth);
|
|
228
|
-
const resolved = await resolveConfiguredAuthContext(auth, ctx, config);
|
|
229
|
-
if (resolved === null) {
|
|
230
|
-
if (config?.optional !== true) throw createNotSignedInError();
|
|
231
|
-
return {
|
|
232
|
-
ctx: { auth: {
|
|
233
|
-
getUserIdentity,
|
|
234
|
-
...createUnauthenticatedAuthContext()
|
|
235
|
-
} },
|
|
236
|
-
args: {}
|
|
237
|
-
};
|
|
238
|
-
}
|
|
239
|
-
const extra = config?.resolve ? await config.resolve(ctx, resolved.user, resolved) : {};
|
|
240
|
-
return {
|
|
241
|
-
ctx: { auth: {
|
|
242
|
-
getUserIdentity,
|
|
243
|
-
...resolved,
|
|
244
|
-
...extra
|
|
245
|
-
} },
|
|
246
|
-
args: {}
|
|
247
|
-
};
|
|
248
|
-
}
|
|
249
|
-
};
|
|
250
|
-
}
|
|
251
|
-
|
|
252
|
-
//#endregion
|
|
253
|
-
export { createAuth };
|
|
254
|
-
//# sourceMappingURL=auth.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"auth.js","names":["getResolvedAuthContext","AuthFactory","config"],"sources":["../../../src/server/auth.ts"],"sourcesContent":["/**\n * Auth configuration helpers for Convex Auth.\n *\n * @module\n */\n\nimport { Cv } from \"@robelest/fx/convex\";\nimport type { UserIdentity } from \"convex/server\";\nimport type { GenericId } from \"convex/values\";\n\nimport type { AuthApiRefs } from \"../client/index\";\nimport {\n createUnauthenticatedAuthContext,\n getAuthContext as getResolvedAuthContext,\n} from \"./context\";\nimport { Auth as AuthFactory } from \"./runtime\";\nimport type { Doc } from \"./types\";\nimport type {\n AuthAuthorizationConfig,\n AuthGrant,\n AuthProviderConfig,\n AuthRoleDefinition,\n AuthRoleId,\n ConvexAuthConfig,\n HasDeviceProvider,\n HasPasskeyProvider,\n HasSSO,\n HasTotpProvider,\n} from \"./types\";\n\n// ============================================================================\n// Types\n// ============================================================================\n\n/**\n * Config for auth setup. Extends the standard auth config\n * minus `component` (which is passed as the first constructor argument).\n */\nexport type AuthConfig = Omit<ConvexAuthConfig, \"component\">;\n\n/** Canonical user document type exposed by Convex Auth. */\nexport type UserDoc = Doc<\"User\">;\n\ntype MemberApiWithAuthorization<\n TAuthorization extends AuthAuthorizationConfig | undefined,\n> = Omit<\n ReturnType<typeof AuthFactory>[\"auth\"][\"member\"],\n \"create\" | \"list\" | \"update\" | \"inspect\" | \"require\"\n> & {\n create: (\n ctx: Parameters<\n ReturnType<typeof AuthFactory>[\"auth\"][\"member\"][\"create\"]\n >[0],\n data: {\n groupId: string;\n userId: string;\n roleIds?: AuthRoleId<TAuthorization>[];\n status?: string;\n extend?: Record<string, unknown>;\n },\n ) => Promise<{ memberId: string }>;\n list: (\n ctx: Parameters<\n ReturnType<typeof AuthFactory>[\"auth\"][\"member\"][\"list\"]\n >[0],\n opts?: {\n where?: {\n groupId?: string;\n userId?: string;\n roleId?: AuthRoleId<TAuthorization>;\n status?: string;\n };\n limit?: number;\n cursor?: string | null;\n orderBy?: \"_creationTime\" | \"status\";\n order?: \"asc\" | \"desc\";\n },\n ) => ReturnType<ReturnType<typeof AuthFactory>[\"auth\"][\"member\"][\"list\"]>;\n update: (\n ctx: Parameters<\n ReturnType<typeof AuthFactory>[\"auth\"][\"member\"][\"update\"]\n >[0],\n memberId: string,\n data: Record<string, unknown> & { roleIds?: AuthRoleId<TAuthorization>[] },\n ) => Promise<{ memberId: string }>;\n inspect: (\n ctx: Parameters<\n ReturnType<typeof AuthFactory>[\"auth\"][\"member\"][\"inspect\"]\n >[0],\n opts: {\n userId: string;\n groupId: string;\n ancestry?: boolean;\n maxDepth?: number;\n },\n ) => ReturnType<ReturnType<typeof AuthFactory>[\"auth\"][\"member\"][\"inspect\"]>;\n require: (\n ctx: Parameters<\n ReturnType<typeof AuthFactory>[\"auth\"][\"member\"][\"require\"]\n >[0],\n opts: {\n userId: string;\n groupId: string;\n ancestry?: boolean;\n roleIds?: AuthRoleId<TAuthorization>[];\n grants?: AuthGrant<TAuthorization>[];\n maxDepth?: number;\n },\n ) => ReturnType<ReturnType<typeof AuthFactory>[\"auth\"][\"member\"][\"require\"]>;\n};\n\n/**\n * The base auth API surface returned by {@link createAuth}.\n *\n * Provides core namespaces — `signIn`, `signOut`, `user`, `session`,\n * `member`, `invite`, `group`, `key`, and `http` — that are\n * always available regardless of which providers are configured.\n * Enterprise namespaces (`sso`, `scim`) are added conditionally by\n * {@link AuthApi} when an SSO provider is present.\n *\n * Use this type when you want to describe code that only depends on the\n * standard auth surface and should not assume enterprise features exist.\n *\n * @typeParam TAuthorization - The authorization config, used to narrow\n * role IDs and grant strings on the `member` API.\n */\nexport type AuthApiBase<\n TAuthorization extends AuthAuthorizationConfig | undefined = undefined,\n> = {\n signIn: ReturnType<typeof AuthFactory>[\"signIn\"];\n signOut: ReturnType<typeof AuthFactory>[\"signOut\"];\n store: ReturnType<typeof AuthFactory>[\"store\"];\n user: ReturnType<typeof AuthFactory>[\"auth\"][\"user\"];\n session: ReturnType<typeof AuthFactory>[\"auth\"][\"session\"];\n provider: ReturnType<typeof AuthFactory>[\"auth\"][\"provider\"];\n account: ReturnType<typeof AuthFactory>[\"auth\"][\"account\"];\n group: ReturnType<typeof AuthFactory>[\"auth\"][\"group\"];\n member: MemberApiWithAuthorization<TAuthorization>;\n invite: ReturnType<typeof AuthFactory>[\"auth\"][\"invite\"];\n key: ReturnType<typeof AuthFactory>[\"auth\"][\"key\"];\n http: ReturnType<typeof AuthFactory>[\"auth\"][\"http\"];\n /**\n * Resolve the current request's auth context. Framework-agnostic — use\n * this in fluent-convex middleware, custom wrappers, or anywhere you\n * need the current `{ userId, user, groupId, role, grants }` object.\n *\n * Throws a structured `ConvexError` when unauthenticated by default.\n * Pass `{ optional: true }` to get a null-shaped auth object instead.\n *\n * @param ctx - Convex query, mutation, or action context.\n * @param config - Optional auth resolution config. Supports `optional`,\n * `resolve`, and `authResolve`.\n * @returns The current auth context.\n *\n * @example fluent-convex middleware\n * ```ts\n * const withAuth = convex.createMiddleware(async (ctx, next) => {\n * return next({ ...ctx, auth: await auth.context(ctx) });\n * });\n * ```\n *\n * @example Direct usage in a handler\n * ```ts\n * const authContext = await auth.context(ctx);\n * const { userId, grants } = authContext;\n * ```\n *\n * @example Optional usage\n * ```ts\n * const authContext = await auth.context(ctx, { optional: true });\n * if (authContext.userId === null) {\n * return null;\n * }\n * ```\n */\n context: AuthContextResolver;\n /**\n * Context enrichment for convex-helpers `customQuery` / `customMutation` /\n * `customAction`.\n *\n * Resolves the current user's identity, active group, membership role,\n * and grants, then attaches them to `ctx.auth`. Returns a `Customization`\n * object compatible with convex-helpers' custom function builders.\n *\n * `ctx.auth` is the current request auth context.\n * By default this throws when unauthenticated so handlers can assume\n * `ctx.auth.userId` and `ctx.auth.user` exist.\n *\n * @returns A convex-helpers `Customization` object.\n *\n * @example One-time setup in `convex/functions.ts`\n * ```ts\n * import { query, mutation, action } from \"./_generated/server\";\n * import { customQuery, customMutation, customAction } from \"convex-helpers/server/customFunctions\";\n * import { auth } from \"./auth\";\n *\n * export const authQuery = customQuery(query, auth.ctx());\n * export const authMutation = customMutation(mutation, auth.ctx());\n * export const authAction = customAction(action, auth.ctx());\n * ```\n *\n * @example Per-function usage\n * ```ts\n * import { authQuery } from \"./functions\";\n *\n * export const list = authQuery({\n * args: { workspaceId: v.string() },\n * handler: async (ctx, args) => {\n * const { userId, groupId, grants } = ctx.auth;\n * // business logic\n * },\n * });\n * ```\n */\n ctx: AuthContextFactory;\n};\n\n/**\n * Current request auth context injected into `ctx.auth` by `auth.ctx()`. This\n * is the authenticated auth shape returned by {@link createAuth().context}.\n * Optional context builders may still surface nullable fields when\n * `optional: true` is used.\n *\n * - `groupId` is `null` when the user has no active group set.\n * - `role` is `null` when no active group or no membership is resolved.\n * - `grants` is `[]` when no active group or no membership is resolved.\n *\n * @example\n * ```ts\n * import type { AuthContext } from \"@robelest/convex-auth/server\";\n *\n * const mockAuth: AuthContext = {\n * userId: \"user123\" as Id<\"User\">,\n * user: { _id: \"user123\", email: \"test@example.com\" },\n * groupId: \"group456\",\n * role: \"admin\",\n * grants: [\"read\", \"write\"],\n * };\n * ```\n */\nexport type AuthContext = {\n /** The authenticated user's document ID. */\n userId: GenericId<\"User\">;\n /** The authenticated user's full document. */\n user: UserDoc;\n /** The user's active group ID, or `null` if none set. */\n groupId: string | null;\n /** The user's primary role in the active group, or `null`. */\n role: string | null;\n /** Resolved grant strings from the user's role definitions. */\n grants: string[];\n};\n\n/**\n * Nullable auth context returned by `auth.context(ctx, { optional: true })`\n * and injected by `auth.ctx({ optional: true })`.\n *\n * Use this when callers may be unauthenticated but you still want a stable\n * auth-shaped object.\n *\n * - `userId` and `user` are `null` when unauthenticated.\n * - `groupId` and `role` are `null` when no active group is resolved.\n * - `grants` is `[]` when no membership is resolved.\n *\n * @example\n * ```ts\n * const authContext = await auth.context(ctx, { optional: true });\n * if (authContext.userId === null) {\n * return null;\n * }\n * ```\n */\nexport type OptionalAuthContext = {\n /** The authenticated user's document ID, or `null` when unauthenticated. */\n userId: GenericId<\"User\"> | null;\n /** The authenticated user's full document, or `null` when unauthenticated. */\n user: UserDoc | null;\n /** The user's active group ID, or `null` if none is set. */\n groupId: string | null;\n /** The user's primary role in the active group, or `null`. */\n role: string | null;\n /** Resolved grant strings for the active membership, or `[]`. */\n grants: string[];\n};\n\ntype AuthContextBase = {\n getUserIdentity: () => Promise<UserIdentity | null>;\n};\n\ntype RequiredAuthContextState = AuthContextBase & AuthContext;\n\ntype OptionalAuthContextState = AuthContextBase & OptionalAuthContext;\n\ntype ResolvedAuthContext<TResolve> = AuthContext & TResolve;\n\ntype ResolvedOptionalAuthContext<TResolve> = OptionalAuthContext & TResolve;\n\ntype AuthContextResolver = {\n <TResolve extends Record<string, unknown> = Record<string, never>>(\n ctx: any,\n config: AuthContextConfig<TResolve> & { optional: true },\n ): Promise<ResolvedOptionalAuthContext<TResolve>>;\n <TResolve extends Record<string, unknown> = Record<string, never>>(\n ctx: any,\n config?: AuthContextConfig<TResolve>,\n ): Promise<ResolvedAuthContext<TResolve>>;\n};\n\ntype AuthContextCustomization<TAuth> = {\n args: {};\n input: (\n ctx: any,\n _args: any,\n _extra?: any,\n ) => Promise<{\n ctx: {\n auth: TAuth;\n };\n args: {};\n }>;\n};\n\ntype AuthContextFactory = {\n <TResolve extends Record<string, unknown> = Record<string, never>>(\n config: AuthContextConfig<TResolve> & { optional: true },\n ): AuthContextCustomization<OptionalAuthContextState & TResolve>;\n <TResolve extends Record<string, unknown> = Record<string, never>>(\n config?: AuthContextConfig<TResolve>,\n ): AuthContextCustomization<RequiredAuthContextState & TResolve>;\n};\n\ntype InternalSsoApi = ReturnType<typeof AuthFactory>[\"auth\"][\"sso\"];\n\ntype PublicSsoAdminApi = {\n connection: InternalSsoApi[\"connection\"] & {\n domain: {\n list: InternalSsoApi[\"domain\"][\"list\"];\n validate: InternalSsoApi[\"domain\"][\"validate\"];\n set: (\n ctx: Parameters<InternalSsoApi[\"connection\"][\"create\"]>[0],\n enterpriseId: string,\n domains: Array<{\n domain: string;\n isPrimary?: boolean;\n }>,\n ) => Promise<{\n enterpriseId: string;\n domains: Array<{\n domainId: string;\n domain: string;\n isPrimary: boolean;\n verified: boolean;\n verifiedAt: number | null;\n }>;\n }>;\n verification: {\n request: (\n ctx: Parameters<InternalSsoApi[\"connection\"][\"create\"]>[0],\n args: { enterpriseId: string; domain: string },\n ) => Promise<{\n enterpriseId: string;\n domain: string;\n requestedAt: number;\n expiresAt: number;\n challenge: {\n recordType: \"TXT\";\n recordName: string;\n recordValue: string;\n };\n }>;\n confirm: (\n ctx: Parameters<InternalSsoApi[\"connection\"][\"create\"]>[0],\n args: { enterpriseId: string; domain: string },\n ) => Promise<{\n enterpriseId: string;\n domain: string;\n verifiedAt?: number;\n checks: Array<{ name: string; ok: boolean; message?: string }>;\n }>;\n };\n };\n };\n oidc: Omit<InternalSsoApi[\"oidc\"], \"signIn\">;\n saml: Omit<InternalSsoApi[\"saml\"], \"metadata\">;\n policy: InternalSsoApi[\"policy\"];\n audit: {\n list: InternalSsoApi[\"audit\"][\"list\"];\n };\n webhook: {\n endpoint: InternalSsoApi[\"webhook\"][\"endpoint\"];\n delivery: {\n list: InternalSsoApi[\"webhook\"][\"delivery\"][\"list\"];\n };\n };\n};\n\ntype PublicSsoClientApi = {\n signIn: InternalSsoApi[\"oidc\"][\"signIn\"];\n metadata: InternalSsoApi[\"saml\"][\"metadata\"];\n};\n\ntype PublicSsoApi = {\n admin: PublicSsoAdminApi;\n client: PublicSsoClientApi;\n};\n\ntype PublicScimApi = {\n admin: Omit<InternalSsoApi[\"scim\"], \"getConfigByToken\" | \"identity\">;\n};\n\n/**\n * Extended auth API that includes enterprise SSO and SCIM namespaces.\n *\n * This type is the union of {@link AuthApiBase} plus `sso` (SSO connection\n * management, OIDC/SAML, domain verification, policies, audit, webhooks)\n * and `scim` (SCIM provisioning configuration). It is returned by\n * {@link createAuth} only when `new SSO()` is included in the providers\n * array; otherwise the narrower {@link AuthApiBase} is returned instead.\n * Attempting to access `auth.sso` or `auth.scim` without an SSO provider\n * produces a compile-time error because the return type narrows back to\n * {@link AuthApiBase}.\n *\n * @typeParam TAuthorization - The authorization config, forwarded to\n * {@link AuthApiBase} for typed role IDs and grant strings.\n */\nexport type AuthApi<\n TAuthorization extends AuthAuthorizationConfig | undefined = undefined,\n> = AuthApiBase<TAuthorization> & {\n sso: PublicSsoApi;\n scim: PublicScimApi;\n};\n\n/**\n * The return type of {@link createAuth}.\n *\n * Resolves to {@link AuthApi} (with `sso` and `scim` namespaces) when\n * `new SSO()` is present in the providers array, or to the narrower\n * {@link AuthApiBase} otherwise. This conditional type ensures that\n * enterprise-only APIs are only accessible when the SSO provider is\n * configured, producing a compile-time error if you try to access\n * `auth.sso` without it.\n * This lets application code keep a single `createAuth()` call while still\n * getting provider-aware typing on the resulting API object.\n *\n * @typeParam P - The tuple of provider configs passed to `createAuth`.\n * @typeParam TAuthorization - Optional authorization config for typed roles/grants.\n */\nexport type ConvexAuthResult<\n P extends AuthProviderConfig[],\n TAuthorization extends AuthAuthorizationConfig | undefined = undefined,\n> =\n HasSSO<P> extends true\n ? AuthApi<TAuthorization>\n : AuthApiBase<TAuthorization>;\n\n/**\n * Infer the typed `AuthApiRefs` for the client SDK from a `createAuth` call.\n *\n * Use this as the generic parameter for `client()` on the frontend:\n *\n * ```ts\n * // convex/auth.ts\n * export const auth = createAuth(components.auth, { providers: [...] });\n *\n * // Frontend\n * import type { auth } from \"../convex/auth\";\n * import type { InferClientApi } from \"@robelest/convex-auth/server\";\n * const c = client<InferClientApi<typeof auth>>({ convex, api: api.auth });\n * ```\n *\n * @typeParam T - A ConvexAuthResult to extract the client API from.\n */\nexport type InferClientApi<T> =\n T extends ConvexAuthResult<infer P>\n ? AuthApiRefs<\n HasPasskeyProvider<P>,\n HasTotpProvider<P>,\n HasDeviceProvider<P>\n >\n : AuthApiRefs;\n\n/** @internal */\nexport type AuthLike = Pick<AuthApiBase, \"user\" | \"member\">;\n\n// ============================================================================\n// Auth setup APIs\n// ============================================================================\n\n/**\n * Create an auth API object.\n *\n * When `new SSO()` is included in providers, `auth.sso` and `auth.scim`\n * are available on the returned object. Without it, those namespaces are\n * absent and accessing them is a TypeScript compile error.\n *\n * @param component - The installed auth component reference from\n * `components.auth` in your Convex app definition.\n * @param config - Auth configuration including `providers` and optional\n * `authorization`. All fields from {@link AuthConfig} are accepted\n * except `component` (passed as the first argument).\n * @returns A {@link ConvexAuthResult} object — either {@link AuthApi}\n * (with `sso`/`scim`) or {@link AuthApiBase}, depending on whether\n * an SSO provider is present.\n *\n * @example\n * ```ts\n * export const auth = createAuth(components.auth, {\n * providers: [password(), google()],\n * authorization: { roles },\n * });\n * ```\n *\n * @see {@link AuthContextConfig}\n */\n\n// ---------------------------------------------------------------------------\n// Function builders — shared auth resolution logic\n// ---------------------------------------------------------------------------\n\nasync function resolveConfiguredAuthContext(\n auth: AuthLike,\n ctx: any,\n config?: AuthContextConfig<any>,\n): Promise<AuthContext | null> {\n const fallback = () => getResolvedAuthContext(auth, ctx);\n const authOverride = config?.authResolve\n ? await config.authResolve(ctx, fallback)\n : undefined;\n return authOverride === undefined ? await fallback() : authOverride;\n}\n\nfunction createNotSignedInError() {\n return Cv.error({\n code: \"NOT_SIGNED_IN\",\n message: \"Authentication required.\",\n });\n}\n\nasync function createPublicAuthContext(\n auth: AuthLike,\n ctx: any,\n config?: AuthContextConfig<any>,\n) {\n const resolved = await resolveConfiguredAuthContext(auth, ctx, config);\n\n if (resolved === null) {\n if (config?.optional !== true) {\n throw createNotSignedInError();\n }\n return createUnauthenticatedAuthContext();\n }\n\n const extra = config?.resolve\n ? await config.resolve(ctx, resolved.user, resolved)\n : {};\n\n return {\n ...resolved,\n ...extra,\n };\n}\n\nexport function createAuth<\n P extends AuthProviderConfig[],\n TAuthorization extends AuthAuthorizationConfig | undefined = undefined,\n>(\n component: ConvexAuthConfig[\"component\"],\n config: Omit<AuthConfig, \"providers\" | \"authorization\"> & {\n providers: P;\n authorization?: TAuthorization;\n },\n): ConvexAuthResult<P, TAuthorization> {\n const authResult = AuthFactory({\n ...config,\n component,\n providers: [...config.providers],\n });\n const {\n domain: domainApi,\n scim: scimApi,\n connection: connectionApi,\n audit: auditApi,\n webhook: webhookApi,\n oidc: oidcApi,\n saml: samlApi,\n ...restSso\n } = authResult.auth.sso as InternalSsoApi;\n\n type SetEnterpriseDomains = PublicSsoAdminApi[\"connection\"][\"domain\"][\"set\"];\n type EnterpriseDomainInput = Array<{\n domain: string;\n isPrimary?: boolean;\n }>;\n const setEnterpriseDomains: PublicSsoAdminApi[\"connection\"][\"domain\"][\"set\"] =\n async (\n ctx: Parameters<SetEnterpriseDomains>[0],\n enterpriseId: Parameters<SetEnterpriseDomains>[1],\n domains: EnterpriseDomainInput,\n ) => {\n const enterprise = await connectionApi.get(ctx, enterpriseId);\n if (enterprise === null) {\n throw Cv.error({\n code: \"INVALID_PARAMETERS\",\n message: \"Enterprise not found.\",\n });\n }\n\n const normalized = domains.map((entry: (typeof domains)[number]) => ({\n ...entry,\n domain: entry.domain.trim().toLowerCase(),\n }));\n const deduped = new Map<string, (typeof normalized)[number]>();\n for (const entry of normalized) {\n if (entry.domain.length === 0) {\n throw Cv.error({\n code: \"INVALID_PARAMETERS\",\n message: \"Domain must not be empty.\",\n });\n }\n if (deduped.has(entry.domain)) {\n throw Cv.error({\n code: \"INVALID_PARAMETERS\",\n message: `Duplicate domain: ${entry.domain}`,\n });\n }\n deduped.set(entry.domain, entry);\n }\n\n const nextDomains = [...deduped.values()];\n const primaryCount = nextDomains.filter(\n (entry) => entry.isPrimary,\n ).length;\n if (primaryCount > 1) {\n throw Cv.error({\n code: \"INVALID_PARAMETERS\",\n message: \"Only one primary domain may be set.\",\n });\n }\n if (nextDomains.length > 0 && primaryCount === 0) {\n nextDomains[0] = { ...nextDomains[0], isPrimary: true };\n }\n\n const currentDomains = await domainApi.list(ctx, enterpriseId);\n const currentByDomain = new Map<string, (typeof currentDomains)[number]>(\n currentDomains.map((entry: (typeof currentDomains)[number]) => [\n entry.domain.toLowerCase(),\n entry,\n ]),\n );\n\n for (const existing of currentDomains) {\n if (!deduped.has(existing.domain.toLowerCase())) {\n await domainApi.remove(ctx, existing._id);\n }\n }\n\n for (const nextDomain of nextDomains) {\n const current = currentByDomain.get(nextDomain.domain);\n if (current && current.isPrimary === Boolean(nextDomain.isPrimary)) {\n continue;\n }\n if (current) {\n await domainApi.remove(ctx, current._id);\n }\n const domainId = await domainApi.add(ctx, {\n enterpriseId: enterprise._id,\n groupId: enterprise.groupId,\n domain: nextDomain.domain,\n isPrimary: nextDomain.isPrimary,\n });\n if (current?.verifiedAt !== undefined) {\n await (ctx as any).runMutation(\n component.public.enterpriseDomainVerify,\n {\n domainId,\n verifiedAt: current.verifiedAt,\n },\n );\n }\n }\n\n const updatedDomains = await domainApi.list(ctx, enterpriseId);\n return {\n enterpriseId,\n domains: updatedDomains.map(\n (domain: (typeof updatedDomains)[number]) => ({\n domainId: domain._id,\n domain: domain.domain,\n isPrimary: domain.isPrimary,\n verified: domain.verifiedAt !== undefined,\n verifiedAt: domain.verifiedAt ?? null,\n }),\n ),\n };\n };\n\n const publicSso: PublicSsoApi = {\n admin: {\n ...restSso,\n oidc: {\n ...oidcApi,\n },\n saml: {\n ...samlApi,\n },\n connection: {\n ...connectionApi,\n domain: {\n list: domainApi.list,\n validate: domainApi.validate,\n set: setEnterpriseDomains,\n verification: {\n request: domainApi.verification.request,\n confirm: domainApi.verification.confirm,\n },\n },\n },\n policy: restSso.policy,\n audit: {\n list: auditApi.list,\n },\n webhook: {\n endpoint: webhookApi.endpoint,\n delivery: {\n list: webhookApi.delivery.list,\n },\n },\n },\n client: {\n signIn: oidcApi.signIn,\n metadata: samlApi.metadata,\n },\n };\n\n return {\n signIn: authResult.signIn,\n signOut: authResult.signOut,\n store: authResult.store,\n user: authResult.auth.user,\n session: authResult.auth.session,\n provider: authResult.auth.provider,\n account: authResult.auth.account,\n group: authResult.auth.group,\n member: authResult.auth.member,\n invite: authResult.auth.invite,\n key: authResult.auth.key,\n sso: publicSso,\n scim: {\n admin: {\n configure: scimApi.configure,\n get: scimApi.get,\n validate: scimApi.validate,\n },\n },\n http: authResult.auth.http,\n\n context: ((ctx: any, config?: AuthContextConfig<any>) =>\n createPublicAuthContext(authResult.auth, ctx, config)) as AuthContextResolver,\n\n ctx: ((config?: AuthContextConfig<any>) =>\n createAuthContextCustomization(authResult.auth, config)) as AuthContextFactory,\n } as unknown as ConvexAuthResult<P, TAuthorization>;\n}\n\n// ============================================================================\n// auth.ctx() — ctx enrichment for customQuery / customMutation\n// ============================================================================\n\n/**\n * Configuration for {@link createAuth().ctx} context enrichment.\n *\n * The same config shape is also used by {@link createAuth().context}.\n *\n * @typeParam TResolve - Extra fields returned from `resolve()` and merged into\n * the resulting `ctx.auth` object.\n *\n * @example\n * ```ts\n * const authContext = await auth.context(ctx, {\n * resolve: async (_ctx, user, authState) => ({\n * email: user.email,\n * canWrite: authState.grants.includes(\"posts.write\"),\n * }),\n * });\n * ```\n */\nexport type AuthContextConfig<\n TResolve extends Record<string, unknown> = Record<string, never>,\n> = {\n /**\n * Allow unauthenticated callers and return a null-shaped auth object instead\n * of throwing `NOT_SIGNED_IN`.\n */\n optional?: boolean;\n /**\n * Attach additional derived fields to the auth context after the base auth\n * context is resolved.\n *\n * This callback runs only when a user is authenticated.\n */\n resolve?: (\n ctx: any,\n user: UserDoc,\n auth: AuthContext,\n ) => Promise<TResolve> | TResolve;\n /**\n * Override or wrap the base auth resolution used by {@link createAuth().ctx}.\n *\n * Return `undefined` to fall back to the built-in resolver,\n * `null` for an explicit unauthenticated state, or an\n * {@link AuthContext} object to provide a pre-resolved auth state.\n * This is useful for tests, proxy auth, impersonation flows, or any\n * environment that needs to inject auth without depending on the standard\n * Convex auth tables.\n *\n * @param ctx - The Convex function context.\n * @param fallback - The built-in auth resolver used by {@link createAuth().ctx}.\n * @returns Resolved auth state, `null`, or `undefined` to use the fallback.\n *\n * @example\n * ```ts\n * const authCtx = auth.ctx({\n * authResolve: async (ctx, fallback) => {\n * const injected = getInjectedAuth(ctx);\n * return injected ?? (await fallback());\n * },\n * });\n * ```\n */\n authResolve?: (\n ctx: any,\n fallback: () => Promise<AuthContext | null>,\n ) => Promise<AuthContext | null | undefined> | AuthContext | null | undefined;\n};\n\n/**\n * Create a context enrichment for `customQuery` / `customMutation` — optional auth.\n *\n * When `optional: true` is set, unauthenticated requests are allowed.\n * The enriched `ctx.auth` will have `userId: null`, `user: null`,\n * `groupId: null`, `role: null`, and `grants: []` for unauthenticated callers.\n *\n * @param config - Configuration with `optional: true` and an optional\n * `resolve` callback for attaching extra fields to the auth context.\n * @returns An object with `args` and `input` compatible with Convex\n * custom function builders.\n *\n * @example\n * ```ts\n * const authCtx = auth.ctx({\n * optional: true,\n * resolve: async (_ctx, user) => ({ plan: user.extend?.plan ?? null }),\n * });\n * ```\n *\n * @see {@link createAuth}\n */\n\n/**\n * Create a context enrichment for `customQuery` / `customMutation` — required auth (default).\n *\n * When `optional` is omitted or `false`, unauthenticated requests throw a\n * structured `ConvexError` before your handler runs.\n *\n * @param config - Optional configuration with a `resolve` callback\n * for attaching extra fields to the auth context.\n * @returns An object with `args` and `input` compatible with Convex\n * custom function builders.\n *\n * @example\n * ```ts\n * const authCtx = auth.ctx({\n * resolve: async (_ctx, user) => ({ email: user.email }),\n * });\n * ```\n *\n * @see {@link createAuth}\n */\nfunction createAuthContextCustomization(\n auth: AuthLike,\n config?: AuthContextConfig<any>,\n) {\n return {\n args: {},\n input: async (ctx: any, _args: any, _extra?: any) => {\n const nativeAuth = ctx.auth;\n const getUserIdentity = nativeAuth.getUserIdentity.bind(nativeAuth);\n const resolved = await resolveConfiguredAuthContext(auth, ctx, config);\n\n if (resolved === null) {\n if (config?.optional !== true) {\n throw createNotSignedInError();\n }\n return {\n ctx: {\n auth: {\n getUserIdentity,\n ...createUnauthenticatedAuthContext(),\n },\n },\n args: {},\n };\n }\n\n const extra = config?.resolve\n ? await config.resolve(ctx, resolved.user, resolved)\n : {};\n\n return {\n ctx: {\n auth: {\n getUserIdentity,\n ...resolved,\n ...extra,\n },\n },\n args: {},\n };\n },\n };\n}\n\n/**\n * Extract the resolved `auth` context type from an `auth.ctx()` customization.\n *\n * Use this to type function parameters or variables that receive the\n * enriched auth context produced by `auth.ctx()`. The inferred type includes\n * `userId`, `user`, `groupId`, `role`, `grants`, `getUserIdentity`, and any\n * additional fields added by the `resolve` callback. This is the generic\n * utility for reusing the enriched auth shape without manually duplicating\n * conditional auth types.\n *\n * @typeParam T - An `auth.ctx()` return value (must have an `input` method\n * that returns `{ ctx: { auth: ... } }`).\n *\n * @example\n * ```ts\n * const authCtx = auth.ctx({\n * resolve: async (ctx, user) => ({ orgId: user.orgId }),\n * });\n * type Auth = InferAuth<typeof authCtx>;\n * // Auth = { userId: Id<\"User\">; user: UserDoc; getUserIdentity: ...; orgId: string }\n * ```\n *\n * @see {@link createAuth}\n */\nexport type InferAuth<\n T extends { input: (...args: any[]) => Promise<{ ctx: { auth: any } }> },\n> = Awaited<ReturnType<T[\"input\"]>>[\"ctx\"][\"auth\"];\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAugBA,eAAe,6BACb,MACA,KACA,QAC6B;CAC7B,MAAM,iBAAiBA,eAAuB,MAAM,IAAI;CACxD,MAAM,eAAe,QAAQ,cACzB,MAAM,OAAO,YAAY,KAAK,SAAS,GACvC;AACJ,QAAO,iBAAiB,SAAY,MAAM,UAAU,GAAG;;AAGzD,SAAS,yBAAyB;AAChC,QAAO,GAAG,MAAM;EACd,MAAM;EACN,SAAS;EACV,CAAC;;AAGJ,eAAe,wBACb,MACA,KACA,QACA;CACA,MAAM,WAAW,MAAM,6BAA6B,MAAM,KAAK,OAAO;AAEtE,KAAI,aAAa,MAAM;AACrB,MAAI,QAAQ,aAAa,KACvB,OAAM,wBAAwB;AAEhC,SAAO,kCAAkC;;CAG3C,MAAM,QAAQ,QAAQ,UAClB,MAAM,OAAO,QAAQ,KAAK,SAAS,MAAM,SAAS,GAClD,EAAE;AAEN,QAAO;EACL,GAAG;EACH,GAAG;EACJ;;AAGH,SAAgB,WAId,WACA,QAIqC;CACrC,MAAM,aAAaC,KAAY;EAC7B,GAAG;EACH;EACA,WAAW,CAAC,GAAG,OAAO,UAAU;EACjC,CAAC;CACF,MAAM,EACJ,QAAQ,WACR,MAAM,SACN,YAAY,eACZ,OAAO,UACP,SAAS,YACT,MAAM,SACN,MAAM,SACN,GAAG,YACD,WAAW,KAAK;CAOpB,MAAM,uBACJ,OACE,KACA,cACA,YACG;EACH,MAAM,aAAa,MAAM,cAAc,IAAI,KAAK,aAAa;AAC7D,MAAI,eAAe,KACjB,OAAM,GAAG,MAAM;GACb,MAAM;GACN,SAAS;GACV,CAAC;EAGJ,MAAM,aAAa,QAAQ,KAAK,WAAqC;GACnE,GAAG;GACH,QAAQ,MAAM,OAAO,MAAM,CAAC,aAAa;GAC1C,EAAE;EACH,MAAM,0BAAU,IAAI,KAA0C;AAC9D,OAAK,MAAM,SAAS,YAAY;AAC9B,OAAI,MAAM,OAAO,WAAW,EAC1B,OAAM,GAAG,MAAM;IACb,MAAM;IACN,SAAS;IACV,CAAC;AAEJ,OAAI,QAAQ,IAAI,MAAM,OAAO,CAC3B,OAAM,GAAG,MAAM;IACb,MAAM;IACN,SAAS,qBAAqB,MAAM;IACrC,CAAC;AAEJ,WAAQ,IAAI,MAAM,QAAQ,MAAM;;EAGlC,MAAM,cAAc,CAAC,GAAG,QAAQ,QAAQ,CAAC;EACzC,MAAM,eAAe,YAAY,QAC9B,UAAU,MAAM,UAClB,CAAC;AACF,MAAI,eAAe,EACjB,OAAM,GAAG,MAAM;GACb,MAAM;GACN,SAAS;GACV,CAAC;AAEJ,MAAI,YAAY,SAAS,KAAK,iBAAiB,EAC7C,aAAY,KAAK;GAAE,GAAG,YAAY;GAAI,WAAW;GAAM;EAGzD,MAAM,iBAAiB,MAAM,UAAU,KAAK,KAAK,aAAa;EAC9D,MAAM,kBAAkB,IAAI,IAC1B,eAAe,KAAK,UAA2C,CAC7D,MAAM,OAAO,aAAa,EAC1B,MACD,CAAC,CACH;AAED,OAAK,MAAM,YAAY,eACrB,KAAI,CAAC,QAAQ,IAAI,SAAS,OAAO,aAAa,CAAC,CAC7C,OAAM,UAAU,OAAO,KAAK,SAAS,IAAI;AAI7C,OAAK,MAAM,cAAc,aAAa;GACpC,MAAM,UAAU,gBAAgB,IAAI,WAAW,OAAO;AACtD,OAAI,WAAW,QAAQ,cAAc,QAAQ,WAAW,UAAU,CAChE;AAEF,OAAI,QACF,OAAM,UAAU,OAAO,KAAK,QAAQ,IAAI;GAE1C,MAAM,WAAW,MAAM,UAAU,IAAI,KAAK;IACxC,cAAc,WAAW;IACzB,SAAS,WAAW;IACpB,QAAQ,WAAW;IACnB,WAAW,WAAW;IACvB,CAAC;AACF,OAAI,SAAS,eAAe,OAC1B,OAAO,IAAY,YACjB,UAAU,OAAO,wBACjB;IACE;IACA,YAAY,QAAQ;IACrB,CACF;;AAKL,SAAO;GACL;GACA,UAHqB,MAAM,UAAU,KAAK,KAAK,aAAa,EAGpC,KACrB,YAA6C;IAC5C,UAAU,OAAO;IACjB,QAAQ,OAAO;IACf,WAAW,OAAO;IAClB,UAAU,OAAO,eAAe;IAChC,YAAY,OAAO,cAAc;IAClC,EACF;GACF;;CAGL,MAAM,YAA0B;EAC9B,OAAO;GACL,GAAG;GACH,MAAM,EACJ,GAAG,SACJ;GACD,MAAM,EACJ,GAAG,SACJ;GACD,YAAY;IACV,GAAG;IACH,QAAQ;KACN,MAAM,UAAU;KAChB,UAAU,UAAU;KACpB,KAAK;KACL,cAAc;MACZ,SAAS,UAAU,aAAa;MAChC,SAAS,UAAU,aAAa;MACjC;KACF;IACF;GACD,QAAQ,QAAQ;GAChB,OAAO,EACL,MAAM,SAAS,MAChB;GACD,SAAS;IACP,UAAU,WAAW;IACrB,UAAU,EACR,MAAM,WAAW,SAAS,MAC3B;IACF;GACF;EACD,QAAQ;GACN,QAAQ,QAAQ;GAChB,UAAU,QAAQ;GACnB;EACF;AAED,QAAO;EACL,QAAQ,WAAW;EACnB,SAAS,WAAW;EACpB,OAAO,WAAW;EAClB,MAAM,WAAW,KAAK;EACtB,SAAS,WAAW,KAAK;EACzB,UAAU,WAAW,KAAK;EAC1B,SAAS,WAAW,KAAK;EACzB,OAAO,WAAW,KAAK;EACvB,QAAQ,WAAW,KAAK;EACxB,QAAQ,WAAW,KAAK;EACxB,KAAK,WAAW,KAAK;EACrB,KAAK;EACL,MAAM,EACJ,OAAO;GACL,WAAW,QAAQ;GACnB,KAAK,QAAQ;GACb,UAAU,QAAQ;GACnB,EACF;EACD,MAAM,WAAW,KAAK;EAEtB,WAAW,KAAU,aACnB,wBAAwB,WAAW,MAAM,KAAKC,SAAO;EAEvD,OAAO,aACL,+BAA+B,WAAW,MAAMA,SAAO;EAC1D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqHH,SAAS,+BACP,MACA,QACA;AACA,QAAO;EACL,MAAM,EAAE;EACR,OAAO,OAAO,KAAU,OAAY,WAAiB;GACnD,MAAM,aAAa,IAAI;GACvB,MAAM,kBAAkB,WAAW,gBAAgB,KAAK,WAAW;GACnE,MAAM,WAAW,MAAM,6BAA6B,MAAM,KAAK,OAAO;AAEtE,OAAI,aAAa,MAAM;AACrB,QAAI,QAAQ,aAAa,KACvB,OAAM,wBAAwB;AAEhC,WAAO;KACL,KAAK,EACH,MAAM;MACJ;MACA,GAAG,kCAAkC;MACtC,EACF;KACD,MAAM,EAAE;KACT;;GAGH,MAAM,QAAQ,QAAQ,UAClB,MAAM,OAAO,QAAQ,KAAK,SAAS,MAAM,SAAS,GAClD,EAAE;AAEN,UAAO;IACL,KAAK,EACH,MAAM;KACJ;KACA,GAAG;KACH,GAAG;KACJ,EACF;IACD,MAAM,EAAE;IACT;;EAEJ"}
|
|
@@ -1,121 +0,0 @@
|
|
|
1
|
-
import { isOAuthProvider } from "../providers/oauth.js";
|
|
2
|
-
|
|
3
|
-
//#region src/server/config.ts
|
|
4
|
-
/** Check if something is a new-style class provider with `_toMaterialized()`. */
|
|
5
|
-
function isClassProvider(provider) {
|
|
6
|
-
return typeof provider === "object" && provider !== null && typeof provider._toMaterialized === "function";
|
|
7
|
-
}
|
|
8
|
-
/**
|
|
9
|
-
* Resolve raw provider configs into materialized form and apply defaults.
|
|
10
|
-
*
|
|
11
|
-
* @internal
|
|
12
|
-
*/
|
|
13
|
-
/** @internal */
|
|
14
|
-
function configDefaults(config_) {
|
|
15
|
-
const config = materializeAndDefaultProviders(config_);
|
|
16
|
-
const extraProviders = config.providers.filter((p) => p.type === "credentials").map((p) => p.extraProviders).flat().filter((p) => p !== void 0);
|
|
17
|
-
return {
|
|
18
|
-
...config,
|
|
19
|
-
authorization: normalizeAuthorizationConfig(config.authorization),
|
|
20
|
-
extraProviders: materializeProviders(extraProviders)
|
|
21
|
-
};
|
|
22
|
-
}
|
|
23
|
-
/**
|
|
24
|
-
* Materialize a single provider config into its runtime form.
|
|
25
|
-
*
|
|
26
|
-
* @internal
|
|
27
|
-
*/
|
|
28
|
-
/** @internal */
|
|
29
|
-
function materializeProvider(provider) {
|
|
30
|
-
const config = {
|
|
31
|
-
providers: [provider],
|
|
32
|
-
component: {}
|
|
33
|
-
};
|
|
34
|
-
materializeAndDefaultProviders(config);
|
|
35
|
-
return config.providers[0];
|
|
36
|
-
}
|
|
37
|
-
/**
|
|
38
|
-
* List available provider IDs for error messages.
|
|
39
|
-
*
|
|
40
|
-
* @internal
|
|
41
|
-
*/
|
|
42
|
-
/** @internal */
|
|
43
|
-
function listAvailableProviders(config, allowExtraProviders) {
|
|
44
|
-
const availableProviders = config.providers.concat(allowExtraProviders ? config.extraProviders : []).map((provider) => `\`${provider.id}\``);
|
|
45
|
-
return availableProviders.length > 0 ? availableProviders.join(", ") : "no providers have been configured";
|
|
46
|
-
}
|
|
47
|
-
function materializeProviders(providers) {
|
|
48
|
-
const config = {
|
|
49
|
-
providers,
|
|
50
|
-
component: {}
|
|
51
|
-
};
|
|
52
|
-
materializeAndDefaultProviders(config);
|
|
53
|
-
return config.providers;
|
|
54
|
-
}
|
|
55
|
-
function decodeProviderMaterializationDispatch(raw) {
|
|
56
|
-
if (isOAuthProvider(raw)) return {
|
|
57
|
-
tag: "oauth",
|
|
58
|
-
raw
|
|
59
|
-
};
|
|
60
|
-
if (isClassProvider(raw)) return {
|
|
61
|
-
tag: "class",
|
|
62
|
-
raw
|
|
63
|
-
};
|
|
64
|
-
return {
|
|
65
|
-
tag: "factoryOrObject",
|
|
66
|
-
raw
|
|
67
|
-
};
|
|
68
|
-
}
|
|
69
|
-
function matchProviderMaterializationDispatch(dispatch, handlers) {
|
|
70
|
-
return handlers[dispatch.tag](dispatch);
|
|
71
|
-
}
|
|
72
|
-
function materializeProviderConfig(raw) {
|
|
73
|
-
return matchProviderMaterializationDispatch(decodeProviderMaterializationDispatch(raw), {
|
|
74
|
-
oauth: (d) => materializeOAuthProvider(d.raw),
|
|
75
|
-
class: (d) => d.raw._toMaterialized(),
|
|
76
|
-
factoryOrObject: (d) => {
|
|
77
|
-
const resolved = typeof d.raw === "function" ? d.raw() : d.raw;
|
|
78
|
-
return resolved.options ? {
|
|
79
|
-
...resolved,
|
|
80
|
-
...resolved.options
|
|
81
|
-
} : resolved;
|
|
82
|
-
}
|
|
83
|
-
});
|
|
84
|
-
}
|
|
85
|
-
function materializeAndDefaultProviders(config_) {
|
|
86
|
-
const allProviders = [];
|
|
87
|
-
for (const raw of config_.providers) allProviders.push(materializeProviderConfig(raw));
|
|
88
|
-
const config = {
|
|
89
|
-
...config_,
|
|
90
|
-
providers: allProviders
|
|
91
|
-
};
|
|
92
|
-
config.providers.forEach((provider) => {
|
|
93
|
-
if (provider.type === "phone") {
|
|
94
|
-
const ID = provider.id.toUpperCase().replace(/-/g, "_");
|
|
95
|
-
provider.apiKey ??= process.env[`AUTH_${ID}_KEY`];
|
|
96
|
-
}
|
|
97
|
-
});
|
|
98
|
-
return config;
|
|
99
|
-
}
|
|
100
|
-
function normalizeAuthorizationConfig(authorization) {
|
|
101
|
-
return { roles: Object.fromEntries(Object.entries(authorization?.roles ?? {}).map(([roleId, role]) => [roleId, {
|
|
102
|
-
...role.label ? { label: role.label } : {},
|
|
103
|
-
grants: Array.from(new Set(role.grants)).sort()
|
|
104
|
-
}])) };
|
|
105
|
-
}
|
|
106
|
-
/**
|
|
107
|
-
* Materialize an Arctic-based `OAuthProviderInstance` into the runtime config.
|
|
108
|
-
*/
|
|
109
|
-
function materializeOAuthProvider(instance) {
|
|
110
|
-
return {
|
|
111
|
-
id: instance.id,
|
|
112
|
-
type: "oauth",
|
|
113
|
-
provider: instance.provider,
|
|
114
|
-
scopes: instance.scopes,
|
|
115
|
-
profile: instance.profile
|
|
116
|
-
};
|
|
117
|
-
}
|
|
118
|
-
|
|
119
|
-
//#endregion
|
|
120
|
-
export { configDefaults, listAvailableProviders, materializeProvider };
|
|
121
|
-
//# sourceMappingURL=config.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"config.js","names":[],"sources":["../../../src/server/config.ts"],"sourcesContent":["import {\n isOAuthProvider,\n type OAuthProviderInstance,\n} from \"../providers/oauth\";\nimport {\n AuthAuthorizationConfig,\n AuthProviderConfig,\n AuthProviderMaterializedConfig,\n ConvexAuthConfig,\n OAuthMaterializedConfig,\n} from \"./types\";\n\n// ============================================================================\n// Provider class detection\n// ============================================================================\n\n/** Check if something is a new-style class provider with `_toMaterialized()`. */\nfunction isClassProvider(\n provider: any,\n): provider is { _toMaterialized(): AuthProviderMaterializedConfig } {\n return (\n typeof provider === \"object\" &&\n provider !== null &&\n typeof provider._toMaterialized === \"function\"\n );\n}\n\n// ============================================================================\n// Public API\n// ============================================================================\n\n/**\n * Resolve raw provider configs into materialized form and apply defaults.\n *\n * @internal\n */\n/** @internal */\nexport function configDefaults(config_: ConvexAuthConfig) {\n const config = materializeAndDefaultProviders(config_);\n // Collect extra providers from credentials providers\n const extraProviders = config.providers\n .filter((p) => p.type === \"credentials\")\n .map((p) => p.extraProviders)\n .flat()\n .filter((p) => p !== undefined);\n return {\n ...config,\n authorization: normalizeAuthorizationConfig(config.authorization),\n extraProviders: materializeProviders(extraProviders),\n };\n}\n\n/**\n * Materialize a single provider config into its runtime form.\n *\n * @internal\n */\n/** @internal */\nexport function materializeProvider(provider: AuthProviderConfig) {\n const config = { providers: [provider], component: {} as any };\n materializeAndDefaultProviders(config);\n return config.providers[0] as AuthProviderMaterializedConfig;\n}\n\n/**\n * List available provider IDs for error messages.\n *\n * @internal\n */\n/** @internal */\nexport function listAvailableProviders(\n config: ReturnType<typeof configDefaults>,\n allowExtraProviders: boolean,\n) {\n const availableProviders = config.providers\n .concat(allowExtraProviders ? config.extraProviders : [])\n .map((provider) => `\\`${provider.id}\\``);\n return availableProviders.length > 0\n ? availableProviders.join(\", \")\n : \"no providers have been configured\";\n}\n\n// ============================================================================\n// Internal helpers\n// ============================================================================\n\nfunction materializeProviders(providers: AuthProviderConfig[]) {\n const config = { providers, component: {} as any };\n materializeAndDefaultProviders(config);\n return config.providers as AuthProviderMaterializedConfig[];\n}\n\ntype ProviderMaterializationDispatch =\n | { tag: \"oauth\"; raw: OAuthProviderInstance }\n | {\n tag: \"class\";\n raw: { _toMaterialized(): AuthProviderMaterializedConfig };\n }\n | { tag: \"factoryOrObject\"; raw: AuthProviderConfig };\n\ntype ProviderMaterializationHandlers<T> = {\n oauth: (\n dispatch: Extract<ProviderMaterializationDispatch, { tag: \"oauth\" }>,\n ) => T;\n class: (\n dispatch: Extract<ProviderMaterializationDispatch, { tag: \"class\" }>,\n ) => T;\n factoryOrObject: (\n dispatch: Extract<\n ProviderMaterializationDispatch,\n { tag: \"factoryOrObject\" }\n >,\n ) => T;\n};\n\nfunction decodeProviderMaterializationDispatch(\n raw: AuthProviderConfig,\n): ProviderMaterializationDispatch {\n if (isOAuthProvider(raw)) {\n return { tag: \"oauth\", raw };\n }\n if (isClassProvider(raw)) {\n return { tag: \"class\", raw };\n }\n return { tag: \"factoryOrObject\", raw };\n}\n\nfunction matchProviderMaterializationDispatch<T>(\n dispatch: ProviderMaterializationDispatch,\n handlers: ProviderMaterializationHandlers<T>,\n): T {\n return (\n handlers[dispatch.tag] as (dispatch: ProviderMaterializationDispatch) => T\n )(dispatch);\n}\n\nfunction materializeProviderConfig(raw: AuthProviderConfig) {\n const dispatch = decodeProviderMaterializationDispatch(raw);\n return matchProviderMaterializationDispatch(dispatch, {\n oauth: (d) => materializeOAuthProvider(d.raw),\n class: (d) => d.raw._toMaterialized(),\n factoryOrObject: (d) => {\n const resolved = typeof d.raw === \"function\" ? d.raw() : (d.raw as any);\n const merged = resolved.options\n ? { ...resolved, ...resolved.options }\n : resolved;\n return merged as AuthProviderMaterializedConfig;\n },\n });\n}\n\nfunction materializeAndDefaultProviders(config_: ConvexAuthConfig) {\n const allProviders: AuthProviderMaterializedConfig[] = [];\n\n for (const raw of config_.providers) {\n allProviders.push(materializeProviderConfig(raw));\n }\n\n const config = { ...config_, providers: allProviders };\n\n // Set phone provider API key from env\n config.providers.forEach((provider) => {\n if (provider.type === \"phone\") {\n const ID = provider.id.toUpperCase().replace(/-/g, \"_\");\n provider.apiKey ??= process.env[`AUTH_${ID}_KEY`];\n }\n });\n\n return config;\n}\n\nfunction normalizeAuthorizationConfig(\n authorization: ConvexAuthConfig[\"authorization\"],\n): AuthAuthorizationConfig {\n const roles = Object.fromEntries(\n Object.entries(authorization?.roles ?? {}).map(([roleId, role]) => [\n roleId,\n {\n ...(role.label ? { label: role.label } : {}),\n grants: Array.from(new Set(role.grants)).sort(),\n },\n ]),\n );\n return { roles };\n}\n\n/**\n * Materialize an Arctic-based `OAuthProviderInstance` into the runtime config.\n */\nfunction materializeOAuthProvider(\n instance: OAuthProviderInstance,\n): OAuthMaterializedConfig {\n return {\n id: instance.id,\n type: \"oauth\",\n provider: instance.provider,\n scopes: instance.scopes,\n profile: instance.profile,\n };\n}\n"],"mappings":";;;;AAiBA,SAAS,gBACP,UACmE;AACnE,QACE,OAAO,aAAa,YACpB,aAAa,QACb,OAAO,SAAS,oBAAoB;;;;;;;;AAcxC,SAAgB,eAAe,SAA2B;CACxD,MAAM,SAAS,+BAA+B,QAAQ;CAEtD,MAAM,iBAAiB,OAAO,UAC3B,QAAQ,MAAM,EAAE,SAAS,cAAc,CACvC,KAAK,MAAM,EAAE,eAAe,CAC5B,MAAM,CACN,QAAQ,MAAM,MAAM,OAAU;AACjC,QAAO;EACL,GAAG;EACH,eAAe,6BAA6B,OAAO,cAAc;EACjE,gBAAgB,qBAAqB,eAAe;EACrD;;;;;;;;AASH,SAAgB,oBAAoB,UAA8B;CAChE,MAAM,SAAS;EAAE,WAAW,CAAC,SAAS;EAAE,WAAW,EAAE;EAAS;AAC9D,gCAA+B,OAAO;AACtC,QAAO,OAAO,UAAU;;;;;;;;AAS1B,SAAgB,uBACd,QACA,qBACA;CACA,MAAM,qBAAqB,OAAO,UAC/B,OAAO,sBAAsB,OAAO,iBAAiB,EAAE,CAAC,CACxD,KAAK,aAAa,KAAK,SAAS,GAAG,IAAI;AAC1C,QAAO,mBAAmB,SAAS,IAC/B,mBAAmB,KAAK,KAAK,GAC7B;;AAON,SAAS,qBAAqB,WAAiC;CAC7D,MAAM,SAAS;EAAE;EAAW,WAAW,EAAE;EAAS;AAClD,gCAA+B,OAAO;AACtC,QAAO,OAAO;;AA0BhB,SAAS,sCACP,KACiC;AACjC,KAAI,gBAAgB,IAAI,CACtB,QAAO;EAAE,KAAK;EAAS;EAAK;AAE9B,KAAI,gBAAgB,IAAI,CACtB,QAAO;EAAE,KAAK;EAAS;EAAK;AAE9B,QAAO;EAAE,KAAK;EAAmB;EAAK;;AAGxC,SAAS,qCACP,UACA,UACG;AACH,QACE,SAAS,SAAS,KAClB,SAAS;;AAGb,SAAS,0BAA0B,KAAyB;AAE1D,QAAO,qCADU,sCAAsC,IAAI,EACL;EACpD,QAAQ,MAAM,yBAAyB,EAAE,IAAI;EAC7C,QAAQ,MAAM,EAAE,IAAI,iBAAiB;EACrC,kBAAkB,MAAM;GACtB,MAAM,WAAW,OAAO,EAAE,QAAQ,aAAa,EAAE,KAAK,GAAI,EAAE;AAI5D,UAHe,SAAS,UACpB;IAAE,GAAG;IAAU,GAAG,SAAS;IAAS,GACpC;;EAGP,CAAC;;AAGJ,SAAS,+BAA+B,SAA2B;CACjE,MAAM,eAAiD,EAAE;AAEzD,MAAK,MAAM,OAAO,QAAQ,UACxB,cAAa,KAAK,0BAA0B,IAAI,CAAC;CAGnD,MAAM,SAAS;EAAE,GAAG;EAAS,WAAW;EAAc;AAGtD,QAAO,UAAU,SAAS,aAAa;AACrC,MAAI,SAAS,SAAS,SAAS;GAC7B,MAAM,KAAK,SAAS,GAAG,aAAa,CAAC,QAAQ,MAAM,IAAI;AACvD,YAAS,WAAW,QAAQ,IAAI,QAAQ,GAAG;;GAE7C;AAEF,QAAO;;AAGT,SAAS,6BACP,eACyB;AAUzB,QAAO,EAAE,OATK,OAAO,YACnB,OAAO,QAAQ,eAAe,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,QAAQ,UAAU,CACjE,QACA;EACE,GAAI,KAAK,QAAQ,EAAE,OAAO,KAAK,OAAO,GAAG,EAAE;EAC3C,QAAQ,MAAM,KAAK,IAAI,IAAI,KAAK,OAAO,CAAC,CAAC,MAAM;EAChD,CACF,CAAC,CACH,EACe;;;;;AAMlB,SAAS,yBACP,UACyB;AACzB,QAAO;EACL,IAAI,SAAS;EACb,MAAM;EACN,UAAU,SAAS;EACnB,QAAQ,SAAS;EACjB,SAAS,SAAS;EACnB"}
|
|
@@ -1,53 +0,0 @@
|
|
|
1
|
-
import { userIdFromIdentitySubject } from "./identity.js";
|
|
2
|
-
|
|
3
|
-
//#region src/server/context.ts
|
|
4
|
-
/** @internal */
|
|
5
|
-
async function getSessionUserId(ctx) {
|
|
6
|
-
const identity = await ctx.auth.getUserIdentity();
|
|
7
|
-
if (identity === null) return null;
|
|
8
|
-
return userIdFromIdentitySubject(identity.subject);
|
|
9
|
-
}
|
|
10
|
-
/** @internal */
|
|
11
|
-
async function getAuthContextForUser(auth, ctx, userId) {
|
|
12
|
-
const user = await auth.user.get(ctx, userId);
|
|
13
|
-
const groupId = await auth.user.getActiveGroup(ctx, { userId });
|
|
14
|
-
let role = null;
|
|
15
|
-
let grants = [];
|
|
16
|
-
if (groupId) {
|
|
17
|
-
const resolved = await auth.member.inspect(ctx, {
|
|
18
|
-
userId,
|
|
19
|
-
groupId
|
|
20
|
-
});
|
|
21
|
-
if (resolved.membership) {
|
|
22
|
-
role = resolved.roleIds[0] ?? null;
|
|
23
|
-
grants = resolved.grants;
|
|
24
|
-
}
|
|
25
|
-
}
|
|
26
|
-
return {
|
|
27
|
-
userId,
|
|
28
|
-
user,
|
|
29
|
-
groupId,
|
|
30
|
-
role,
|
|
31
|
-
grants
|
|
32
|
-
};
|
|
33
|
-
}
|
|
34
|
-
/** @internal */
|
|
35
|
-
async function getAuthContext(auth, ctx) {
|
|
36
|
-
const userId = await getSessionUserId(ctx);
|
|
37
|
-
if (userId === null) return null;
|
|
38
|
-
return await getAuthContextForUser(auth, ctx, userId);
|
|
39
|
-
}
|
|
40
|
-
/** @internal */
|
|
41
|
-
function createUnauthenticatedAuthContext() {
|
|
42
|
-
return {
|
|
43
|
-
userId: null,
|
|
44
|
-
user: null,
|
|
45
|
-
groupId: null,
|
|
46
|
-
role: null,
|
|
47
|
-
grants: []
|
|
48
|
-
};
|
|
49
|
-
}
|
|
50
|
-
|
|
51
|
-
//#endregion
|
|
52
|
-
export { createUnauthenticatedAuthContext, getAuthContext, getAuthContextForUser, getSessionUserId };
|
|
53
|
-
//# sourceMappingURL=context.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"context.js","names":[],"sources":["../../../src/server/context.ts"],"sourcesContent":["import type { UserIdentity } from \"convex/server\";\n\nimport { userIdFromIdentitySubject } from \"./identity\";\nimport type { AuthContext, AuthLike, OptionalAuthContext, UserDoc } from \"./auth\";\n\ntype AuthIdentityCtx = {\n auth: {\n getUserIdentity: () => Promise<UserIdentity | null>;\n };\n};\n\ntype AuthContextResolverLike = {\n user: {\n get: (ctx: any, userId: string) => Promise<UserDoc>;\n getActiveGroup: (\n ctx: any,\n args: { userId: string },\n ) => Promise<string | null>;\n };\n member: {\n inspect: (\n ctx: any,\n args: { userId: string; groupId: string },\n ) => Promise<{\n membership: unknown;\n roleIds: string[];\n grants: string[];\n }>;\n };\n};\n\n/** @internal */\nexport async function getSessionUserId(\n ctx: AuthIdentityCtx,\n): Promise<string | null> {\n const identity = await ctx.auth.getUserIdentity();\n if (identity === null) {\n return null;\n }\n return userIdFromIdentitySubject(identity.subject);\n}\n\n/** @internal */\nexport async function getAuthContextForUser(\n auth: AuthContextResolverLike,\n ctx: any,\n userId: string,\n): Promise<AuthContext> {\n const user = await auth.user.get(ctx, userId);\n const groupId = await auth.user.getActiveGroup(ctx, { userId });\n let role: string | null = null;\n let grants: string[] = [];\n if (groupId) {\n const resolved = await auth.member.inspect(ctx, { userId, groupId });\n if (resolved.membership) {\n role = resolved.roleIds[0] ?? null;\n grants = resolved.grants;\n }\n }\n return {\n userId: userId as AuthContext[\"userId\"],\n user,\n groupId,\n role,\n grants,\n };\n}\n\n/** @internal */\nexport async function getAuthContext(\n auth: AuthLike,\n ctx: AuthIdentityCtx & Record<string, unknown>,\n): Promise<AuthContext | null> {\n const userId = await getSessionUserId(ctx);\n if (userId === null) {\n return null;\n }\n return await getAuthContextForUser(auth, ctx, userId);\n}\n\n/** @internal */\nexport function createUnauthenticatedAuthContext(): OptionalAuthContext {\n return {\n userId: null,\n user: null,\n groupId: null,\n role: null,\n grants: [],\n };\n}\n"],"mappings":";;;;AAgCA,eAAsB,iBACpB,KACwB;CACxB,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,KAAI,aAAa,KACf,QAAO;AAET,QAAO,0BAA0B,SAAS,QAAQ;;;AAIpD,eAAsB,sBACpB,MACA,KACA,QACsB;CACtB,MAAM,OAAO,MAAM,KAAK,KAAK,IAAI,KAAK,OAAO;CAC7C,MAAM,UAAU,MAAM,KAAK,KAAK,eAAe,KAAK,EAAE,QAAQ,CAAC;CAC/D,IAAI,OAAsB;CAC1B,IAAI,SAAmB,EAAE;AACzB,KAAI,SAAS;EACX,MAAM,WAAW,MAAM,KAAK,OAAO,QAAQ,KAAK;GAAE;GAAQ;GAAS,CAAC;AACpE,MAAI,SAAS,YAAY;AACvB,UAAO,SAAS,QAAQ,MAAM;AAC9B,YAAS,SAAS;;;AAGtB,QAAO;EACG;EACR;EACA;EACA;EACA;EACD;;;AAIH,eAAsB,eACpB,MACA,KAC6B;CAC7B,MAAM,SAAS,MAAM,iBAAiB,IAAI;AAC1C,KAAI,WAAW,KACb,QAAO;AAET,QAAO,MAAM,sBAAsB,MAAM,KAAK,OAAO;;;AAIvD,SAAgB,mCAAwD;AACtE,QAAO;EACL,QAAQ;EACR,MAAM;EACN,SAAS;EACT,MAAM;EACN,QAAQ,EAAE;EACX"}
|
|
@@ -1,47 +0,0 @@
|
|
|
1
|
-
import { isLocalHost } from "./utils.js";
|
|
2
|
-
|
|
3
|
-
//#region src/server/cookies.ts
|
|
4
|
-
/** @internal */
|
|
5
|
-
const SHARED_COOKIE_OPTIONS = {
|
|
6
|
-
httpOnly: true,
|
|
7
|
-
sameSite: "none",
|
|
8
|
-
secure: true,
|
|
9
|
-
path: "/",
|
|
10
|
-
partitioned: true
|
|
11
|
-
};
|
|
12
|
-
const REDIRECT_MAX_AGE = 900;
|
|
13
|
-
/** @internal */
|
|
14
|
-
function redirectToParamCookie(providerId, redirectTo) {
|
|
15
|
-
return {
|
|
16
|
-
name: redirectToParamCookieName(providerId),
|
|
17
|
-
value: redirectTo,
|
|
18
|
-
options: {
|
|
19
|
-
...SHARED_COOKIE_OPTIONS,
|
|
20
|
-
maxAge: REDIRECT_MAX_AGE
|
|
21
|
-
}
|
|
22
|
-
};
|
|
23
|
-
}
|
|
24
|
-
/** @internal */
|
|
25
|
-
function useRedirectToParam(providerId, cookies) {
|
|
26
|
-
const cookieName = redirectToParamCookieName(providerId);
|
|
27
|
-
const redirectTo = cookies[cookieName];
|
|
28
|
-
if (redirectTo === void 0) return null;
|
|
29
|
-
return {
|
|
30
|
-
redirectTo,
|
|
31
|
-
updatedCookie: {
|
|
32
|
-
name: cookieName,
|
|
33
|
-
value: "",
|
|
34
|
-
options: {
|
|
35
|
-
...SHARED_COOKIE_OPTIONS,
|
|
36
|
-
maxAge: 0
|
|
37
|
-
}
|
|
38
|
-
}
|
|
39
|
-
};
|
|
40
|
-
}
|
|
41
|
-
function redirectToParamCookieName(providerId) {
|
|
42
|
-
return (!isLocalHost(process.env.CONVEX_SITE_URL) ? "__Host-" : "") + providerId + "RedirectTo";
|
|
43
|
-
}
|
|
44
|
-
|
|
45
|
-
//#endregion
|
|
46
|
-
export { SHARED_COOKIE_OPTIONS, redirectToParamCookie, useRedirectToParam };
|
|
47
|
-
//# sourceMappingURL=cookies.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"cookies.js","names":[],"sources":["../../../src/server/cookies.ts"],"sourcesContent":["import { isLocalHost } from \"./utils\";\n\n/** @internal */\nexport const SHARED_COOKIE_OPTIONS = {\n httpOnly: true,\n sameSite: \"none\" as const,\n secure: true,\n path: \"/\",\n partitioned: true,\n};\n\nconst REDIRECT_MAX_AGE = 60 * 15; // 15 minutes in seconds\n/** @internal */\nexport function redirectToParamCookie(providerId: string, redirectTo: string) {\n return {\n name: redirectToParamCookieName(providerId),\n value: redirectTo,\n options: { ...SHARED_COOKIE_OPTIONS, maxAge: REDIRECT_MAX_AGE },\n };\n}\n\n/** @internal */\nexport function useRedirectToParam(\n providerId: string,\n cookies: Record<string, string | undefined>,\n) {\n const cookieName = redirectToParamCookieName(providerId);\n const redirectTo = cookies[cookieName];\n if (redirectTo === undefined) {\n return null;\n }\n\n // Clear the cookie\n const updatedCookie = {\n name: cookieName,\n value: \"\",\n options: { ...SHARED_COOKIE_OPTIONS, maxAge: 0 },\n };\n\n return { redirectTo, updatedCookie };\n}\n\nfunction redirectToParamCookieName(providerId: string) {\n return (\n (!isLocalHost(process.env.CONVEX_SITE_URL) ? \"__Host-\" : \"\") +\n providerId +\n \"RedirectTo\"\n );\n}\n"],"mappings":";;;;AAGA,MAAa,wBAAwB;CACnC,UAAU;CACV,UAAU;CACV,QAAQ;CACR,MAAM;CACN,aAAa;CACd;AAED,MAAM,mBAAmB;;AAEzB,SAAgB,sBAAsB,YAAoB,YAAoB;AAC5E,QAAO;EACL,MAAM,0BAA0B,WAAW;EAC3C,OAAO;EACP,SAAS;GAAE,GAAG;GAAuB,QAAQ;GAAkB;EAChE;;;AAIH,SAAgB,mBACd,YACA,SACA;CACA,MAAM,aAAa,0BAA0B,WAAW;CACxD,MAAM,aAAa,QAAQ;AAC3B,KAAI,eAAe,OACjB,QAAO;AAUT,QAAO;EAAE;EAAY,eANC;GACpB,MAAM;GACN,OAAO;GACP,SAAS;IAAE,GAAG;IAAuB,QAAQ;IAAG;GACjD;EAEmC;;AAGtC,SAAS,0BAA0B,YAAoB;AACrD,SACG,CAAC,YAAY,QAAQ,IAAI,gBAAgB,GAAG,YAAY,MACzD,aACA"}
|