@robelest/convex-auth 0.0.4-preview.25 → 0.0.4-preview.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (666) hide show
  1. package/README.md +43 -36
  2. package/dist/bin.js +5765 -4880
  3. package/dist/browser/index.d.ts +30 -0
  4. package/dist/browser/index.js +93 -0
  5. package/dist/browser/locks.js +11 -0
  6. package/dist/browser/navigation.js +14 -0
  7. package/dist/{factors → browser}/passkey.js +23 -32
  8. package/dist/browser/runtime.js +92 -0
  9. package/dist/client/core/types.d.ts +452 -5
  10. package/dist/client/core/types.js +17 -0
  11. package/dist/client/errors.js +19 -0
  12. package/dist/client/factors/device.js +94 -0
  13. package/dist/{factors → client/factors}/totp.js +12 -4
  14. package/dist/client/index.d.ts +47 -1
  15. package/dist/client/index.js +269 -232
  16. package/dist/client/runtime/mutex.js +24 -0
  17. package/dist/client/runtime/proxy.js +30 -0
  18. package/dist/client/runtime/storage.js +45 -0
  19. package/dist/client/services/adapters.js +7 -0
  20. package/dist/client/services/http.js +6 -0
  21. package/dist/client/services/resolve.js +13 -0
  22. package/dist/client/services/runtime.js +6 -0
  23. package/dist/component/_generated/component.d.ts +1355 -1399
  24. package/dist/component/convex.config.d.ts +2 -2
  25. package/dist/component/index.d.ts +4 -26
  26. package/dist/component/index.js +1 -1
  27. package/dist/component/model.d.ts +26 -112
  28. package/dist/component/model.js +76 -54
  29. package/dist/component/modules.js +38 -0
  30. package/dist/component/public/factors/devices.js +1 -1
  31. package/dist/component/public/factors/passkeys.js +1 -1
  32. package/dist/component/public/factors/totp.js +1 -1
  33. package/dist/component/public/groups/core.js +2 -2
  34. package/dist/component/public/groups/invites.js +1 -1
  35. package/dist/component/public/groups/members.js +1 -1
  36. package/dist/component/public/identity/accounts.js +1 -1
  37. package/dist/component/public/identity/codes.js +1 -1
  38. package/dist/component/public/identity/sessions.js +39 -2
  39. package/dist/component/public/identity/tokens.js +82 -4
  40. package/dist/component/public/identity/users.js +1 -1
  41. package/dist/component/public/identity/verifiers.js +10 -4
  42. package/dist/component/public/security/keys.js +1 -1
  43. package/dist/component/public/security/limits.js +1 -1
  44. package/dist/component/public/{enterprise → sso}/audit.js +26 -26
  45. package/dist/component/public/sso/core.js +263 -0
  46. package/dist/component/public/sso/domains.js +280 -0
  47. package/dist/component/public/{enterprise → sso}/scim.js +87 -87
  48. package/dist/component/public/sso/secrets.js +125 -0
  49. package/dist/component/public/{enterprise → sso}/webhooks.js +59 -59
  50. package/dist/component/public.js +9 -9
  51. package/dist/component/schema.d.ts +472 -393
  52. package/dist/component/schema.js +36 -35
  53. package/dist/core/index.d.ts +380 -0
  54. package/dist/core/index.js +83 -0
  55. package/dist/otel.d.ts +69 -0
  56. package/dist/otel.js +82 -0
  57. package/dist/providers/anonymous.d.ts +15 -34
  58. package/dist/providers/anonymous.js +27 -35
  59. package/dist/providers/apple.d.ts +59 -0
  60. package/dist/providers/apple.js +58 -0
  61. package/dist/providers/credentials.d.ts +18 -34
  62. package/dist/providers/credentials.js +16 -27
  63. package/dist/providers/custom.d.ts +94 -0
  64. package/dist/providers/custom.js +119 -0
  65. package/dist/providers/device.d.ts +15 -49
  66. package/dist/providers/device.js +17 -34
  67. package/dist/providers/email.d.ts +21 -38
  68. package/dist/providers/email.js +36 -55
  69. package/dist/providers/github.d.ts +54 -0
  70. package/dist/providers/github.js +75 -0
  71. package/dist/providers/google.d.ts +54 -0
  72. package/dist/providers/google.js +61 -0
  73. package/dist/providers/index.d.ts +16 -12
  74. package/dist/providers/index.js +15 -11
  75. package/dist/providers/microsoft.d.ts +57 -0
  76. package/dist/providers/microsoft.js +101 -0
  77. package/dist/providers/passkey.d.ts +19 -35
  78. package/dist/providers/passkey.js +20 -30
  79. package/dist/providers/password.d.ts +17 -18
  80. package/dist/providers/password.js +121 -143
  81. package/dist/providers/phone.d.ts +13 -28
  82. package/dist/providers/phone.js +21 -46
  83. package/dist/providers/sso.d.ts +16 -36
  84. package/dist/providers/sso.js +21 -22
  85. package/dist/providers/totp.d.ts +13 -29
  86. package/dist/providers/totp.js +17 -27
  87. package/dist/server/auth-context.d.ts +204 -0
  88. package/dist/server/auth-context.js +76 -0
  89. package/dist/server/auth.d.ts +99 -244
  90. package/dist/server/auth.js +56 -152
  91. package/dist/server/componentContext.d.ts +12 -0
  92. package/dist/server/componentContext.js +1 -0
  93. package/dist/server/config.js +6 -67
  94. package/dist/server/constants.js +6 -0
  95. package/dist/server/contract.d.ts +105 -0
  96. package/dist/server/contract.js +43 -0
  97. package/dist/server/cookies.js +3 -2
  98. package/dist/server/core.js +31 -36
  99. package/dist/server/crypto.js +34 -44
  100. package/dist/server/db.js +6 -1
  101. package/dist/server/device.js +96 -130
  102. package/dist/server/env.js +48 -0
  103. package/dist/server/errors.js +20 -0
  104. package/dist/server/http.d.ts +15 -59
  105. package/dist/server/http.js +136 -120
  106. package/dist/server/identity.js +2 -2
  107. package/dist/server/index.d.ts +5 -4
  108. package/dist/server/index.js +3 -3
  109. package/dist/server/keys.js +10 -1
  110. package/dist/server/limits.js +26 -26
  111. package/dist/server/log.js +28 -0
  112. package/dist/server/mounts.d.ts +1107 -296
  113. package/dist/server/mounts.js +315 -196
  114. package/dist/server/mutations/account.js +11 -14
  115. package/dist/server/mutations/code.js +6 -5
  116. package/dist/server/mutations/invalidate.js +9 -11
  117. package/dist/server/mutations/oauth.js +112 -73
  118. package/dist/server/mutations/refresh.js +47 -97
  119. package/dist/server/mutations/register.js +37 -35
  120. package/dist/server/mutations/retrieve.js +16 -16
  121. package/dist/server/mutations/signature.js +15 -18
  122. package/dist/server/mutations/signin.js +10 -5
  123. package/dist/server/mutations/signout.js +11 -14
  124. package/dist/server/mutations/store.js +25 -18
  125. package/dist/server/mutations/verifier.js +11 -8
  126. package/dist/server/mutations/verify.js +53 -41
  127. package/dist/server/oauth/factory.js +44 -0
  128. package/dist/server/oauth/index.js +12 -0
  129. package/dist/server/oauth/runtime.js +248 -0
  130. package/dist/server/passkey.js +331 -365
  131. package/dist/server/payloads.d.ts +16 -0
  132. package/dist/server/payloads.js +30 -0
  133. package/dist/server/{ssr.d.ts → prefetch.d.ts} +2 -2
  134. package/dist/server/prefetch.js +635 -0
  135. package/dist/server/random.js +19 -0
  136. package/dist/server/redirects.js +10 -5
  137. package/dist/server/refresh.js +14 -86
  138. package/dist/server/runtime.d.ts +531 -31
  139. package/dist/server/runtime.js +106 -267
  140. package/dist/server/secret.js +44 -0
  141. package/dist/server/services/config.js +10 -0
  142. package/dist/server/services/group.js +211 -0
  143. package/dist/server/services/logger.js +8 -0
  144. package/dist/server/services/providers.js +22 -0
  145. package/dist/server/services/refresh.js +8 -0
  146. package/dist/server/services/resolve.js +27 -0
  147. package/dist/server/services/signin.js +8 -0
  148. package/dist/server/sessions.js +35 -34
  149. package/dist/server/signin.js +229 -140
  150. package/dist/server/{enterprise → sso}/config.js +10 -3
  151. package/dist/server/sso/domain.d.ts +614 -0
  152. package/dist/server/sso/domain.js +1175 -0
  153. package/dist/server/sso/http.js +1060 -0
  154. package/dist/server/sso/oidc.js +324 -0
  155. package/dist/server/sso/policies.js +59 -0
  156. package/dist/server/sso/policy.js +139 -0
  157. package/dist/server/sso/profile.js +22 -0
  158. package/dist/server/sso/provision.js +179 -0
  159. package/dist/{component/server/enterprise → server/sso}/saml.js +142 -56
  160. package/dist/{component/server/enterprise → server/sso}/scim.js +13 -7
  161. package/dist/server/sso/shared.js +74 -0
  162. package/dist/server/sso/validators.js +88 -0
  163. package/dist/server/sso/webhook.js +94 -0
  164. package/dist/server/tokens.js +16 -4
  165. package/dist/server/totp.js +155 -164
  166. package/dist/server/types.d.ts +306 -296
  167. package/dist/server/types.js +1 -30
  168. package/dist/server/url.js +32 -0
  169. package/dist/server/users.js +74 -40
  170. package/dist/server/utils/cache.js +51 -0
  171. package/dist/server/utils/dispatch.js +36 -0
  172. package/dist/server/utils/retry.js +24 -0
  173. package/dist/server/utils/span.js +32 -0
  174. package/dist/shared/errors.js +19 -0
  175. package/dist/shared/log.js +45 -0
  176. package/{src/test.ts → dist/test.d.ts} +21 -22
  177. package/dist/test.js +51 -0
  178. package/package.json +70 -42
  179. package/dist/authorization/index.d.ts.map +0 -1
  180. package/dist/authorization/index.js.map +0 -1
  181. package/dist/client/core/types.d.ts.map +0 -1
  182. package/dist/client/index.d.ts.map +0 -1
  183. package/dist/client/index.js.map +0 -1
  184. package/dist/component/_generated/api.d.ts +0 -75
  185. package/dist/component/_generated/api.d.ts.map +0 -1
  186. package/dist/component/_generated/api.js.map +0 -1
  187. package/dist/component/_generated/component.d.ts.map +0 -1
  188. package/dist/component/_generated/dataModel.d.ts +0 -42
  189. package/dist/component/_generated/dataModel.d.ts.map +0 -1
  190. package/dist/component/_generated/server.d.ts +0 -117
  191. package/dist/component/_generated/server.d.ts.map +0 -1
  192. package/dist/component/_generated/server.js.map +0 -1
  193. package/dist/component/_virtual/rolldown_runtime.js +0 -18
  194. package/dist/component/client/core/types.d.ts +0 -2
  195. package/dist/component/client/index.d.ts +0 -1
  196. package/dist/component/convex.config.d.ts.map +0 -1
  197. package/dist/component/convex.config.js.map +0 -1
  198. package/dist/component/functions.d.ts +0 -25
  199. package/dist/component/functions.d.ts.map +0 -1
  200. package/dist/component/functions.js.map +0 -1
  201. package/dist/component/index.d.ts.map +0 -1
  202. package/dist/component/model.d.ts.map +0 -1
  203. package/dist/component/model.js.map +0 -1
  204. package/dist/component/providers/anonymous.d.ts +0 -54
  205. package/dist/component/providers/anonymous.d.ts.map +0 -1
  206. package/dist/component/providers/credentials.d.ts +0 -38
  207. package/dist/component/providers/credentials.d.ts.map +0 -1
  208. package/dist/component/providers/device.d.ts +0 -67
  209. package/dist/component/providers/device.d.ts.map +0 -1
  210. package/dist/component/providers/email.d.ts +0 -62
  211. package/dist/component/providers/email.d.ts.map +0 -1
  212. package/dist/component/providers/oauth.d.ts +0 -25
  213. package/dist/component/providers/oauth.d.ts.map +0 -1
  214. package/dist/component/providers/oauth.js +0 -13
  215. package/dist/component/providers/oauth.js.map +0 -1
  216. package/dist/component/providers/passkey.d.ts +0 -57
  217. package/dist/component/providers/passkey.d.ts.map +0 -1
  218. package/dist/component/providers/password.d.ts +0 -88
  219. package/dist/component/providers/password.d.ts.map +0 -1
  220. package/dist/component/providers/phone.d.ts +0 -48
  221. package/dist/component/providers/phone.d.ts.map +0 -1
  222. package/dist/component/providers/sso.d.ts +0 -50
  223. package/dist/component/providers/sso.d.ts.map +0 -1
  224. package/dist/component/providers/totp.d.ts +0 -45
  225. package/dist/component/providers/totp.d.ts.map +0 -1
  226. package/dist/component/public/enterprise/audit.d.ts +0 -73
  227. package/dist/component/public/enterprise/audit.d.ts.map +0 -1
  228. package/dist/component/public/enterprise/audit.js.map +0 -1
  229. package/dist/component/public/enterprise/core.d.ts +0 -176
  230. package/dist/component/public/enterprise/core.d.ts.map +0 -1
  231. package/dist/component/public/enterprise/core.js +0 -292
  232. package/dist/component/public/enterprise/core.js.map +0 -1
  233. package/dist/component/public/enterprise/domains.d.ts +0 -174
  234. package/dist/component/public/enterprise/domains.d.ts.map +0 -1
  235. package/dist/component/public/enterprise/domains.js +0 -271
  236. package/dist/component/public/enterprise/domains.js.map +0 -1
  237. package/dist/component/public/enterprise/scim.d.ts +0 -245
  238. package/dist/component/public/enterprise/scim.d.ts.map +0 -1
  239. package/dist/component/public/enterprise/scim.js.map +0 -1
  240. package/dist/component/public/enterprise/secrets.d.ts +0 -78
  241. package/dist/component/public/enterprise/secrets.d.ts.map +0 -1
  242. package/dist/component/public/enterprise/secrets.js +0 -118
  243. package/dist/component/public/enterprise/secrets.js.map +0 -1
  244. package/dist/component/public/enterprise/webhooks.d.ts +0 -211
  245. package/dist/component/public/enterprise/webhooks.d.ts.map +0 -1
  246. package/dist/component/public/enterprise/webhooks.js.map +0 -1
  247. package/dist/component/public/factors/devices.d.ts +0 -157
  248. package/dist/component/public/factors/devices.d.ts.map +0 -1
  249. package/dist/component/public/factors/devices.js.map +0 -1
  250. package/dist/component/public/factors/passkeys.d.ts +0 -175
  251. package/dist/component/public/factors/passkeys.d.ts.map +0 -1
  252. package/dist/component/public/factors/passkeys.js.map +0 -1
  253. package/dist/component/public/factors/totp.d.ts +0 -189
  254. package/dist/component/public/factors/totp.d.ts.map +0 -1
  255. package/dist/component/public/factors/totp.js.map +0 -1
  256. package/dist/component/public/groups/core.d.ts +0 -137
  257. package/dist/component/public/groups/core.d.ts.map +0 -1
  258. package/dist/component/public/groups/core.js.map +0 -1
  259. package/dist/component/public/groups/invites.d.ts +0 -217
  260. package/dist/component/public/groups/invites.d.ts.map +0 -1
  261. package/dist/component/public/groups/invites.js.map +0 -1
  262. package/dist/component/public/groups/members.d.ts +0 -204
  263. package/dist/component/public/groups/members.d.ts.map +0 -1
  264. package/dist/component/public/groups/members.js.map +0 -1
  265. package/dist/component/public/identity/accounts.d.ts +0 -147
  266. package/dist/component/public/identity/accounts.d.ts.map +0 -1
  267. package/dist/component/public/identity/accounts.js.map +0 -1
  268. package/dist/component/public/identity/codes.d.ts +0 -104
  269. package/dist/component/public/identity/codes.d.ts.map +0 -1
  270. package/dist/component/public/identity/codes.js.map +0 -1
  271. package/dist/component/public/identity/sessions.d.ts +0 -128
  272. package/dist/component/public/identity/sessions.d.ts.map +0 -1
  273. package/dist/component/public/identity/sessions.js.map +0 -1
  274. package/dist/component/public/identity/tokens.d.ts +0 -169
  275. package/dist/component/public/identity/tokens.d.ts.map +0 -1
  276. package/dist/component/public/identity/tokens.js.map +0 -1
  277. package/dist/component/public/identity/users.d.ts +0 -212
  278. package/dist/component/public/identity/users.d.ts.map +0 -1
  279. package/dist/component/public/identity/users.js.map +0 -1
  280. package/dist/component/public/identity/verifiers.d.ts +0 -116
  281. package/dist/component/public/identity/verifiers.d.ts.map +0 -1
  282. package/dist/component/public/identity/verifiers.js.map +0 -1
  283. package/dist/component/public/security/keys.d.ts +0 -209
  284. package/dist/component/public/security/keys.d.ts.map +0 -1
  285. package/dist/component/public/security/keys.js.map +0 -1
  286. package/dist/component/public/security/limits.d.ts +0 -114
  287. package/dist/component/public/security/limits.d.ts.map +0 -1
  288. package/dist/component/public/security/limits.js.map +0 -1
  289. package/dist/component/public.d.ts +0 -28
  290. package/dist/component/public.d.ts.map +0 -1
  291. package/dist/component/schema.d.ts.map +0 -1
  292. package/dist/component/schema.js.map +0 -1
  293. package/dist/component/server/auth.d.ts +0 -447
  294. package/dist/component/server/auth.d.ts.map +0 -1
  295. package/dist/component/server/auth.js +0 -254
  296. package/dist/component/server/auth.js.map +0 -1
  297. package/dist/component/server/config.js +0 -121
  298. package/dist/component/server/config.js.map +0 -1
  299. package/dist/component/server/context.js +0 -53
  300. package/dist/component/server/context.js.map +0 -1
  301. package/dist/component/server/cookies.js +0 -47
  302. package/dist/component/server/cookies.js.map +0 -1
  303. package/dist/component/server/core.js +0 -576
  304. package/dist/component/server/core.js.map +0 -1
  305. package/dist/component/server/crypto.js +0 -56
  306. package/dist/component/server/crypto.js.map +0 -1
  307. package/dist/component/server/db.js +0 -87
  308. package/dist/component/server/db.js.map +0 -1
  309. package/dist/component/server/device.js +0 -152
  310. package/dist/component/server/device.js.map +0 -1
  311. package/dist/component/server/enterprise/config.js +0 -46
  312. package/dist/component/server/enterprise/config.js.map +0 -1
  313. package/dist/component/server/enterprise/domain.js +0 -974
  314. package/dist/component/server/enterprise/domain.js.map +0 -1
  315. package/dist/component/server/enterprise/http.js +0 -787
  316. package/dist/component/server/enterprise/http.js.map +0 -1
  317. package/dist/component/server/enterprise/oidc.js +0 -248
  318. package/dist/component/server/enterprise/oidc.js.map +0 -1
  319. package/dist/component/server/enterprise/policy.js +0 -85
  320. package/dist/component/server/enterprise/policy.js.map +0 -1
  321. package/dist/component/server/enterprise/saml.js.map +0 -1
  322. package/dist/component/server/enterprise/scim.js.map +0 -1
  323. package/dist/component/server/enterprise/shared.js +0 -51
  324. package/dist/component/server/enterprise/shared.js.map +0 -1
  325. package/dist/component/server/http.d.ts +0 -85
  326. package/dist/component/server/http.d.ts.map +0 -1
  327. package/dist/component/server/http.js +0 -351
  328. package/dist/component/server/http.js.map +0 -1
  329. package/dist/component/server/identity.js +0 -16
  330. package/dist/component/server/identity.js.map +0 -1
  331. package/dist/component/server/keys.js +0 -96
  332. package/dist/component/server/keys.js.map +0 -1
  333. package/dist/component/server/limits.js +0 -52
  334. package/dist/component/server/limits.js.map +0 -1
  335. package/dist/component/server/mutations/account.js +0 -46
  336. package/dist/component/server/mutations/account.js.map +0 -1
  337. package/dist/component/server/mutations/code.js +0 -68
  338. package/dist/component/server/mutations/code.js.map +0 -1
  339. package/dist/component/server/mutations/invalidate.js +0 -32
  340. package/dist/component/server/mutations/invalidate.js.map +0 -1
  341. package/dist/component/server/mutations/oauth.js +0 -116
  342. package/dist/component/server/mutations/oauth.js.map +0 -1
  343. package/dist/component/server/mutations/refresh.js +0 -119
  344. package/dist/component/server/mutations/refresh.js.map +0 -1
  345. package/dist/component/server/mutations/register.js +0 -87
  346. package/dist/component/server/mutations/register.js.map +0 -1
  347. package/dist/component/server/mutations/retrieve.js +0 -61
  348. package/dist/component/server/mutations/retrieve.js.map +0 -1
  349. package/dist/component/server/mutations/signature.js +0 -38
  350. package/dist/component/server/mutations/signature.js.map +0 -1
  351. package/dist/component/server/mutations/signin.js +0 -27
  352. package/dist/component/server/mutations/signin.js.map +0 -1
  353. package/dist/component/server/mutations/signout.js +0 -27
  354. package/dist/component/server/mutations/signout.js.map +0 -1
  355. package/dist/component/server/mutations/store/refs.js +0 -15
  356. package/dist/component/server/mutations/store/refs.js.map +0 -1
  357. package/dist/component/server/mutations/store.js +0 -70
  358. package/dist/component/server/mutations/store.js.map +0 -1
  359. package/dist/component/server/mutations/verifier.js +0 -18
  360. package/dist/component/server/mutations/verifier.js.map +0 -1
  361. package/dist/component/server/mutations/verify.js +0 -98
  362. package/dist/component/server/mutations/verify.js.map +0 -1
  363. package/dist/component/server/oauth.js +0 -242
  364. package/dist/component/server/oauth.js.map +0 -1
  365. package/dist/component/server/passkey.js +0 -415
  366. package/dist/component/server/passkey.js.map +0 -1
  367. package/dist/component/server/redirects.js +0 -40
  368. package/dist/component/server/redirects.js.map +0 -1
  369. package/dist/component/server/refresh.js +0 -99
  370. package/dist/component/server/refresh.js.map +0 -1
  371. package/dist/component/server/runtime.d.ts +0 -136
  372. package/dist/component/server/runtime.d.ts.map +0 -1
  373. package/dist/component/server/runtime.js +0 -456
  374. package/dist/component/server/runtime.js.map +0 -1
  375. package/dist/component/server/sessions.js +0 -71
  376. package/dist/component/server/sessions.js.map +0 -1
  377. package/dist/component/server/signin.js +0 -225
  378. package/dist/component/server/signin.js.map +0 -1
  379. package/dist/component/server/tokens.js +0 -17
  380. package/dist/component/server/tokens.js.map +0 -1
  381. package/dist/component/server/totp.js +0 -208
  382. package/dist/component/server/totp.js.map +0 -1
  383. package/dist/component/server/types.d.ts +0 -949
  384. package/dist/component/server/types.d.ts.map +0 -1
  385. package/dist/component/server/types.js +0 -79
  386. package/dist/component/server/types.js.map +0 -1
  387. package/dist/component/server/users.js +0 -123
  388. package/dist/component/server/users.js.map +0 -1
  389. package/dist/component/server/utils.js +0 -140
  390. package/dist/component/server/utils.js.map +0 -1
  391. package/dist/core/types.d.ts +0 -361
  392. package/dist/core/types.d.ts.map +0 -1
  393. package/dist/factors/device.js +0 -104
  394. package/dist/factors/device.js.map +0 -1
  395. package/dist/factors/passkey.js.map +0 -1
  396. package/dist/factors/totp.js.map +0 -1
  397. package/dist/providers/anonymous.d.ts.map +0 -1
  398. package/dist/providers/anonymous.js.map +0 -1
  399. package/dist/providers/credentials.d.ts.map +0 -1
  400. package/dist/providers/credentials.js.map +0 -1
  401. package/dist/providers/device.d.ts.map +0 -1
  402. package/dist/providers/device.js.map +0 -1
  403. package/dist/providers/email.d.ts.map +0 -1
  404. package/dist/providers/email.js.map +0 -1
  405. package/dist/providers/oauth.d.ts +0 -69
  406. package/dist/providers/oauth.d.ts.map +0 -1
  407. package/dist/providers/oauth.js +0 -43
  408. package/dist/providers/oauth.js.map +0 -1
  409. package/dist/providers/passkey.d.ts.map +0 -1
  410. package/dist/providers/passkey.js.map +0 -1
  411. package/dist/providers/password.d.ts.map +0 -1
  412. package/dist/providers/password.js.map +0 -1
  413. package/dist/providers/phone.d.ts.map +0 -1
  414. package/dist/providers/phone.js.map +0 -1
  415. package/dist/providers/sso.d.ts.map +0 -1
  416. package/dist/providers/sso.js.map +0 -1
  417. package/dist/providers/totp.d.ts.map +0 -1
  418. package/dist/providers/totp.js.map +0 -1
  419. package/dist/runtime/browser.js +0 -68
  420. package/dist/runtime/browser.js.map +0 -1
  421. package/dist/runtime/invite.js.map +0 -1
  422. package/dist/runtime/proxy.js +0 -70
  423. package/dist/runtime/proxy.js.map +0 -1
  424. package/dist/runtime/storage.js +0 -37
  425. package/dist/runtime/storage.js.map +0 -1
  426. package/dist/server/auth.d.ts.map +0 -1
  427. package/dist/server/auth.js.map +0 -1
  428. package/dist/server/config.d.ts +0 -1
  429. package/dist/server/config.js.map +0 -1
  430. package/dist/server/context.d.ts +0 -1
  431. package/dist/server/context.js.map +0 -1
  432. package/dist/server/cookies.d.ts +0 -1
  433. package/dist/server/cookies.js.map +0 -1
  434. package/dist/server/core.d.ts +0 -1315
  435. package/dist/server/core.d.ts.map +0 -1
  436. package/dist/server/core.js.map +0 -1
  437. package/dist/server/crypto.d.ts +0 -8
  438. package/dist/server/crypto.d.ts.map +0 -1
  439. package/dist/server/crypto.js.map +0 -1
  440. package/dist/server/db.d.ts +0 -1
  441. package/dist/server/db.js.map +0 -1
  442. package/dist/server/device.d.ts +0 -1
  443. package/dist/server/device.js.map +0 -1
  444. package/dist/server/enterprise/config.d.ts +0 -1
  445. package/dist/server/enterprise/config.js.map +0 -1
  446. package/dist/server/enterprise/domain.d.ts +0 -401
  447. package/dist/server/enterprise/domain.d.ts.map +0 -1
  448. package/dist/server/enterprise/domain.js +0 -974
  449. package/dist/server/enterprise/domain.js.map +0 -1
  450. package/dist/server/enterprise/http.d.ts +0 -26
  451. package/dist/server/enterprise/http.d.ts.map +0 -1
  452. package/dist/server/enterprise/http.js +0 -787
  453. package/dist/server/enterprise/http.js.map +0 -1
  454. package/dist/server/enterprise/oidc.d.ts +0 -1
  455. package/dist/server/enterprise/oidc.js +0 -248
  456. package/dist/server/enterprise/oidc.js.map +0 -1
  457. package/dist/server/enterprise/policy.d.ts +0 -1
  458. package/dist/server/enterprise/policy.js +0 -85
  459. package/dist/server/enterprise/policy.js.map +0 -1
  460. package/dist/server/enterprise/saml.d.ts +0 -1
  461. package/dist/server/enterprise/saml.js +0 -338
  462. package/dist/server/enterprise/saml.js.map +0 -1
  463. package/dist/server/enterprise/scim.d.ts +0 -1
  464. package/dist/server/enterprise/scim.js +0 -97
  465. package/dist/server/enterprise/scim.js.map +0 -1
  466. package/dist/server/enterprise/shared.d.ts +0 -5
  467. package/dist/server/enterprise/shared.d.ts.map +0 -1
  468. package/dist/server/enterprise/shared.js +0 -51
  469. package/dist/server/enterprise/shared.js.map +0 -1
  470. package/dist/server/enterprise/validators.d.ts +0 -1
  471. package/dist/server/enterprise/validators.js +0 -60
  472. package/dist/server/enterprise/validators.js.map +0 -1
  473. package/dist/server/http.d.ts.map +0 -1
  474. package/dist/server/http.js.map +0 -1
  475. package/dist/server/identity.d.ts +0 -1
  476. package/dist/server/identity.js.map +0 -1
  477. package/dist/server/keys.d.ts +0 -1
  478. package/dist/server/keys.js.map +0 -1
  479. package/dist/server/limits.d.ts +0 -1
  480. package/dist/server/limits.js.map +0 -1
  481. package/dist/server/mounts.d.ts.map +0 -1
  482. package/dist/server/mounts.js.map +0 -1
  483. package/dist/server/mutations/account.d.ts +0 -29
  484. package/dist/server/mutations/account.d.ts.map +0 -1
  485. package/dist/server/mutations/account.js.map +0 -1
  486. package/dist/server/mutations/code.d.ts +0 -30
  487. package/dist/server/mutations/code.d.ts.map +0 -1
  488. package/dist/server/mutations/code.js.map +0 -1
  489. package/dist/server/mutations/index.d.ts +0 -14
  490. package/dist/server/mutations/invalidate.d.ts +0 -20
  491. package/dist/server/mutations/invalidate.d.ts.map +0 -1
  492. package/dist/server/mutations/invalidate.js.map +0 -1
  493. package/dist/server/mutations/oauth.d.ts +0 -30
  494. package/dist/server/mutations/oauth.d.ts.map +0 -1
  495. package/dist/server/mutations/oauth.js.map +0 -1
  496. package/dist/server/mutations/refresh.d.ts +0 -21
  497. package/dist/server/mutations/refresh.d.ts.map +0 -1
  498. package/dist/server/mutations/refresh.js.map +0 -1
  499. package/dist/server/mutations/register.d.ts +0 -38
  500. package/dist/server/mutations/register.d.ts.map +0 -1
  501. package/dist/server/mutations/register.js.map +0 -1
  502. package/dist/server/mutations/retrieve.d.ts +0 -33
  503. package/dist/server/mutations/retrieve.d.ts.map +0 -1
  504. package/dist/server/mutations/retrieve.js.map +0 -1
  505. package/dist/server/mutations/signature.d.ts +0 -21
  506. package/dist/server/mutations/signature.d.ts.map +0 -1
  507. package/dist/server/mutations/signature.js.map +0 -1
  508. package/dist/server/mutations/signin.d.ts +0 -22
  509. package/dist/server/mutations/signin.d.ts.map +0 -1
  510. package/dist/server/mutations/signin.js.map +0 -1
  511. package/dist/server/mutations/signout.d.ts +0 -16
  512. package/dist/server/mutations/signout.d.ts.map +0 -1
  513. package/dist/server/mutations/signout.js.map +0 -1
  514. package/dist/server/mutations/store/refs.d.ts +0 -12
  515. package/dist/server/mutations/store/refs.d.ts.map +0 -1
  516. package/dist/server/mutations/store/refs.js.map +0 -1
  517. package/dist/server/mutations/store.d.ts +0 -306
  518. package/dist/server/mutations/store.d.ts.map +0 -1
  519. package/dist/server/mutations/store.js.map +0 -1
  520. package/dist/server/mutations/verifier.d.ts +0 -13
  521. package/dist/server/mutations/verifier.d.ts.map +0 -1
  522. package/dist/server/mutations/verifier.js.map +0 -1
  523. package/dist/server/mutations/verify.d.ts +0 -26
  524. package/dist/server/mutations/verify.d.ts.map +0 -1
  525. package/dist/server/mutations/verify.js.map +0 -1
  526. package/dist/server/oauth.d.ts +0 -1
  527. package/dist/server/oauth.js +0 -242
  528. package/dist/server/oauth.js.map +0 -1
  529. package/dist/server/passkey.d.ts +0 -27
  530. package/dist/server/passkey.d.ts.map +0 -1
  531. package/dist/server/passkey.js.map +0 -1
  532. package/dist/server/redirects.d.ts +0 -1
  533. package/dist/server/redirects.js.map +0 -1
  534. package/dist/server/refresh.d.ts +0 -1
  535. package/dist/server/refresh.js.map +0 -1
  536. package/dist/server/runtime.d.ts.map +0 -1
  537. package/dist/server/runtime.js.map +0 -1
  538. package/dist/server/sessions.d.ts +0 -1
  539. package/dist/server/sessions.js.map +0 -1
  540. package/dist/server/signin.d.ts +0 -1
  541. package/dist/server/signin.js.map +0 -1
  542. package/dist/server/ssr.d.ts.map +0 -1
  543. package/dist/server/ssr.js +0 -777
  544. package/dist/server/ssr.js.map +0 -1
  545. package/dist/server/templates.d.ts +0 -1
  546. package/dist/server/templates.js.map +0 -1
  547. package/dist/server/tokens.d.ts +0 -1
  548. package/dist/server/tokens.js.map +0 -1
  549. package/dist/server/totp.d.ts +0 -1
  550. package/dist/server/totp.js.map +0 -1
  551. package/dist/server/types.d.ts.map +0 -1
  552. package/dist/server/types.js.map +0 -1
  553. package/dist/server/users.d.ts +0 -1
  554. package/dist/server/users.js.map +0 -1
  555. package/dist/server/utils.d.ts +0 -1
  556. package/dist/server/utils.js +0 -140
  557. package/dist/server/utils.js.map +0 -1
  558. package/src/authorization/index.ts +0 -83
  559. package/src/cli/bin.ts +0 -5
  560. package/src/cli/command.ts +0 -70
  561. package/src/cli/index.ts +0 -1112
  562. package/src/cli/keys.ts +0 -23
  563. package/src/client/core/types.ts +0 -437
  564. package/src/client/factors/device.ts +0 -158
  565. package/src/client/factors/passkey.ts +0 -279
  566. package/src/client/factors/totp.ts +0 -150
  567. package/src/client/index.ts +0 -1124
  568. package/src/client/runtime/browser.ts +0 -112
  569. package/src/client/runtime/invite.ts +0 -63
  570. package/src/client/runtime/proxy.ts +0 -111
  571. package/src/client/runtime/storage.ts +0 -79
  572. package/src/component/_generated/api.ts +0 -96
  573. package/src/component/_generated/component.ts +0 -3774
  574. package/src/component/_generated/dataModel.ts +0 -60
  575. package/src/component/_generated/server.ts +0 -156
  576. package/src/component/convex.config.ts +0 -5
  577. package/src/component/functions.ts +0 -104
  578. package/src/component/index.ts +0 -42
  579. package/src/component/model.ts +0 -449
  580. package/src/component/public/enterprise/audit.ts +0 -125
  581. package/src/component/public/enterprise/core.ts +0 -355
  582. package/src/component/public/enterprise/domains.ts +0 -327
  583. package/src/component/public/enterprise/scim.ts +0 -397
  584. package/src/component/public/enterprise/secrets.ts +0 -133
  585. package/src/component/public/enterprise/webhooks.ts +0 -307
  586. package/src/component/public/factors/devices.ts +0 -224
  587. package/src/component/public/factors/passkeys.ts +0 -243
  588. package/src/component/public/factors/totp.ts +0 -259
  589. package/src/component/public/groups/core.ts +0 -481
  590. package/src/component/public/groups/invites.ts +0 -608
  591. package/src/component/public/groups/members.ts +0 -410
  592. package/src/component/public/identity/accounts.ts +0 -207
  593. package/src/component/public/identity/codes.ts +0 -149
  594. package/src/component/public/identity/sessions.ts +0 -210
  595. package/src/component/public/identity/tokens.ts +0 -251
  596. package/src/component/public/identity/users.ts +0 -355
  597. package/src/component/public/identity/verifiers.ts +0 -158
  598. package/src/component/public/security/keys.ts +0 -366
  599. package/src/component/public/security/limits.ts +0 -174
  600. package/src/component/public.ts +0 -27
  601. package/src/component/schema.ts +0 -505
  602. package/src/providers/anonymous.ts +0 -99
  603. package/src/providers/credentials.ts +0 -102
  604. package/src/providers/device.ts +0 -87
  605. package/src/providers/email.ts +0 -99
  606. package/src/providers/index.ts +0 -31
  607. package/src/providers/oauth.ts +0 -117
  608. package/src/providers/passkey.ts +0 -77
  609. package/src/providers/password.ts +0 -441
  610. package/src/providers/phone.ts +0 -93
  611. package/src/providers/sso.ts +0 -54
  612. package/src/providers/totp.ts +0 -62
  613. package/src/samlify.d.ts +0 -53
  614. package/src/server/auth.ts +0 -949
  615. package/src/server/config.ts +0 -200
  616. package/src/server/context.ts +0 -90
  617. package/src/server/cookies.ts +0 -49
  618. package/src/server/core.ts +0 -2004
  619. package/src/server/crypto.ts +0 -90
  620. package/src/server/db.ts +0 -203
  621. package/src/server/device.ts +0 -254
  622. package/src/server/enterprise/config.ts +0 -51
  623. package/src/server/enterprise/domain.ts +0 -1739
  624. package/src/server/enterprise/http.ts +0 -1331
  625. package/src/server/enterprise/oidc.ts +0 -500
  626. package/src/server/enterprise/policy.ts +0 -128
  627. package/src/server/enterprise/saml.ts +0 -578
  628. package/src/server/enterprise/scim.ts +0 -135
  629. package/src/server/enterprise/shared.ts +0 -134
  630. package/src/server/enterprise/validators.ts +0 -93
  631. package/src/server/http.ts +0 -790
  632. package/src/server/identity.ts +0 -18
  633. package/src/server/index.ts +0 -40
  634. package/src/server/keys.ts +0 -158
  635. package/src/server/limits.ts +0 -107
  636. package/src/server/mounts.ts +0 -924
  637. package/src/server/mutations/account.ts +0 -62
  638. package/src/server/mutations/code.ts +0 -119
  639. package/src/server/mutations/index.ts +0 -13
  640. package/src/server/mutations/invalidate.ts +0 -50
  641. package/src/server/mutations/oauth.ts +0 -243
  642. package/src/server/mutations/refresh.ts +0 -299
  643. package/src/server/mutations/register.ts +0 -155
  644. package/src/server/mutations/retrieve.ts +0 -109
  645. package/src/server/mutations/signature.ts +0 -57
  646. package/src/server/mutations/signin.ts +0 -54
  647. package/src/server/mutations/signout.ts +0 -43
  648. package/src/server/mutations/store/refs.ts +0 -10
  649. package/src/server/mutations/store.ts +0 -123
  650. package/src/server/mutations/verifier.ts +0 -34
  651. package/src/server/mutations/verify.ts +0 -200
  652. package/src/server/oauth.ts +0 -418
  653. package/src/server/passkey.ts +0 -838
  654. package/src/server/redirects.ts +0 -59
  655. package/src/server/refresh.ts +0 -218
  656. package/src/server/runtime.ts +0 -918
  657. package/src/server/sessions.ts +0 -132
  658. package/src/server/signin.ts +0 -445
  659. package/src/server/ssr.ts +0 -1747
  660. package/src/server/templates.ts +0 -82
  661. package/src/server/tokens.ts +0 -35
  662. package/src/server/totp.ts +0 -399
  663. package/src/server/types.ts +0 -1942
  664. package/src/server/users.ts +0 -291
  665. package/src/server/utils.ts +0 -220
  666. /package/dist/{runtime → client/runtime}/invite.js +0 -0
@@ -1,974 +0,0 @@
1
- import { Cv } from "@robelest/fx/convex";
2
- import { Fx } from "@robelest/fx";
3
-
4
- //#region src/server/enterprise/domain.ts
5
- /**
6
- * Build the enterprise and SSO management domain.
7
- */
8
- function createEnterpriseDomain(deps) {
9
- const { config, normalizeEnterprisePolicy, normalizeDomain, getEnterpriseSecret, loadEnterpriseOrThrow, validateEnterprisePolicy, recordEnterpriseAuditEvent, emitEnterpriseWebhookDeliveries, enterpriseNotFoundError, ENTERPRISE_OIDC_CLIENT_SECRET_KIND, requireEnv, generateRandomString, INVITE_TOKEN_ALPHABET, sha256, encryptSecret, upsertProtocolConfig, parseSamlIdpMetadata, createServiceProviderMetadata, getSamlServiceProviderOptions, getPublicOidcConfig, withOidcSecretState, getOidcConfig, getEnterpriseOidcUrls, enterpriseOidcProviderId, getPolicyFromEnterprise, patchEnterprisePolicy } = deps;
10
- const ENTERPRISE_DOMAIN_VERIFICATION_PREFIX = "_convex-auth-verification";
11
- const ENTERPRISE_DOMAIN_VERIFICATION_TTL_MS = 1e3 * 60 * 60 * 24 * 7;
12
- const toDomainSummary = (domain) => ({
13
- domainId: domain._id,
14
- domain: domain.domain,
15
- isPrimary: domain.isPrimary,
16
- verified: domain.verifiedAt !== void 0,
17
- verifiedAt: domain.verifiedAt ?? null
18
- });
19
- const getDomainVerificationRecordName = (domain) => `${ENTERPRISE_DOMAIN_VERIFICATION_PREFIX}.${normalizeDomain(domain)}`;
20
- const parseTxtAnswer = (value) => {
21
- const quoted = [...value.matchAll(/"([^"]*)"/g)].map((match) => match[1]);
22
- if (quoted.length > 0) return quoted.join("");
23
- return value.replace(/^"|"$/g, "").trim();
24
- };
25
- const resolveTxtValues = async (recordName) => {
26
- const url = new URL("https://dns.google/resolve");
27
- url.searchParams.set("name", recordName);
28
- url.searchParams.set("type", "TXT");
29
- const response = await fetch(url, { headers: { accept: "application/json" } });
30
- if (!response.ok) throw new Error(`DNS TXT lookup failed with status ${response.status}.`);
31
- return ((await response.json()).Answer ?? []).map((answer) => typeof answer.data === "string" ? parseTxtAnswer(answer.data) : null).filter((value) => value !== null && value.length > 0);
32
- };
33
- return {
34
- connection: {
35
- create: async (ctx, data) => {
36
- return {
37
- enterpriseId: await ctx.runMutation(config.component.public.enterpriseCreate, {
38
- ...data,
39
- policy: normalizeEnterprisePolicy(data.policy)
40
- }),
41
- groupId: data.groupId
42
- };
43
- },
44
- get: async (ctx, enterpriseId) => {
45
- return await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
46
- },
47
- getByGroup: async (ctx, groupId) => {
48
- return await ctx.runQuery(config.component.public.enterpriseGetByGroup, { groupId });
49
- },
50
- getByDomain: async (ctx, domain) => {
51
- return await ctx.runQuery(config.component.public.enterpriseGetByDomain, { domain: normalizeDomain(domain) });
52
- },
53
- list: async (ctx, opts) => {
54
- return await ctx.runQuery(config.component.public.enterpriseList, {
55
- where: opts?.where,
56
- limit: opts?.limit,
57
- cursor: opts?.cursor,
58
- orderBy: opts?.orderBy,
59
- order: opts?.order
60
- });
61
- },
62
- update: async (ctx, enterpriseId, data) => {
63
- await ctx.runMutation(config.component.public.enterpriseUpdate, {
64
- enterpriseId,
65
- data
66
- });
67
- return { enterpriseId };
68
- },
69
- delete: async (ctx, enterpriseId) => {
70
- await ctx.runMutation(config.component.public.enterpriseDelete, { enterpriseId });
71
- return { enterpriseId };
72
- },
73
- status: async (ctx, enterpriseId) => {
74
- const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
75
- if (!enterprise) throw Cv.error({
76
- code: "INVALID_PARAMETERS",
77
- message: enterpriseNotFoundError
78
- });
79
- const policy = getPolicyFromEnterprise(enterprise);
80
- const protocols = enterprise.config?.protocols ?? {};
81
- const oidcConfig = protocols.oidc;
82
- const oidcSecret = await getEnterpriseSecret(ctx, enterprise._id, ENTERPRISE_OIDC_CLIENT_SECRET_KIND);
83
- const samlConfig = protocols.saml;
84
- const scimConfig = await ctx.runQuery(config.component.public.enterpriseScimConfigGetByEnterprise, { enterpriseId });
85
- const domains = await ctx.runQuery(config.component.public.enterpriseDomainList, { enterpriseId });
86
- const oidcReady = oidcConfig?.enabled === true && typeof oidcConfig?.clientId === "string" && oidcConfig.clientId.length > 0 && oidcSecret !== null && (typeof oidcConfig?.issuer === "string" || typeof oidcConfig?.discoveryUrl === "string");
87
- const samlReady = samlConfig?.enabled === true && typeof samlConfig?.idp?.entityId === "string";
88
- const scimReady = scimConfig !== null && scimConfig !== void 0 && scimConfig.status === "active";
89
- const ready = enterprise.status === "active" && (oidcReady || samlReady);
90
- return {
91
- enterpriseId: enterprise._id,
92
- status: enterprise.status,
93
- ready,
94
- domainCount: domains.length,
95
- protocols: {
96
- oidc: {
97
- configured: oidcReady,
98
- ready: oidcReady,
99
- clientId: oidcConfig?.clientId ?? null,
100
- issuer: oidcConfig?.issuer ?? oidcConfig?.discoveryUrl ?? null
101
- },
102
- saml: {
103
- configured: samlReady,
104
- ready: samlReady,
105
- entityId: samlConfig?.idp?.entityId ?? null
106
- },
107
- scim: {
108
- configured: scimReady,
109
- ready: scimReady,
110
- basePath: scimConfig?.basePath ?? null,
111
- deprovisionMode: policy.provisioning.deprovision.mode
112
- }
113
- }
114
- };
115
- }
116
- },
117
- domain: {
118
- add: async (ctx, data) => {
119
- return await ctx.runMutation(config.component.public.enterpriseDomainAdd, {
120
- ...data,
121
- domain: normalizeDomain(data.domain)
122
- });
123
- },
124
- list: async (ctx, enterpriseId) => {
125
- return await ctx.runQuery(config.component.public.enterpriseDomainList, { enterpriseId });
126
- },
127
- validate: async (ctx, enterpriseId) => {
128
- const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
129
- if (enterprise === null) throw Cv.error({
130
- code: "INVALID_PARAMETERS",
131
- message: enterpriseNotFoundError
132
- });
133
- const domains = await ctx.runQuery(config.component.public.enterpriseDomainList, { enterpriseId });
134
- const primaryDomains = domains.filter((domain) => domain.isPrimary);
135
- const verifiedDomains = domains.filter((domain) => domain.verifiedAt !== void 0);
136
- const warnings = [];
137
- if (domains.length === 0) warnings.push("No domains configured.");
138
- if (primaryDomains.length === 0 && domains.length > 0) warnings.push("No primary domain configured.");
139
- if (primaryDomains.length > 1) warnings.push("Multiple primary domains configured.");
140
- if (verifiedDomains.length === 0 && domains.length > 0) warnings.push("No verified domains yet.");
141
- return {
142
- enterpriseId,
143
- ready: enterprise.status === "active" && domains.length > 0 && primaryDomains.length === 1 && verifiedDomains.length > 0,
144
- summary: {
145
- domainCount: domains.length,
146
- primaryCount: primaryDomains.length,
147
- verifiedCount: verifiedDomains.length
148
- },
149
- domains: domains.map((domain) => toDomainSummary(domain)),
150
- warnings
151
- };
152
- },
153
- remove: async (ctx, domainId) => {
154
- await ctx.runMutation(config.component.public.enterpriseDomainDelete, { domainId });
155
- },
156
- verification: {
157
- request: async (ctx, args) => {
158
- const enterprise = await loadEnterpriseOrThrow(ctx, args.enterpriseId);
159
- const normalizedDomain = normalizeDomain(args.domain);
160
- const domain = (await ctx.runQuery(config.component.public.enterpriseDomainList, { enterpriseId: enterprise._id })).find((entry) => entry.domain === normalizedDomain);
161
- if (!domain) throw Cv.error({
162
- code: "INVALID_PARAMETERS",
163
- message: "Domain is not attached to this enterprise."
164
- });
165
- const requestedAt = Date.now();
166
- const expiresAt = requestedAt + ENTERPRISE_DOMAIN_VERIFICATION_TTL_MS;
167
- const token = generateRandomString(32, INVITE_TOKEN_ALPHABET);
168
- const tokenHash = await sha256(token);
169
- const recordName = getDomainVerificationRecordName(normalizedDomain);
170
- await ctx.runMutation(config.component.public.enterpriseDomainVerificationUpsert, {
171
- enterpriseId: enterprise._id,
172
- groupId: enterprise.groupId,
173
- domainId: domain._id,
174
- domain: normalizedDomain,
175
- recordName,
176
- token,
177
- tokenHash,
178
- requestedAt,
179
- expiresAt
180
- });
181
- await recordEnterpriseAuditEvent(ctx, {
182
- enterpriseId: enterprise._id,
183
- groupId: enterprise.groupId,
184
- eventType: "enterprise.domain.verification_requested",
185
- actorType: "system",
186
- subjectType: "enterprise_domain",
187
- subjectId: domain._id,
188
- ok: true,
189
- metadata: {
190
- domain: normalizedDomain,
191
- recordName,
192
- expiresAt
193
- }
194
- });
195
- return {
196
- enterpriseId: enterprise._id,
197
- domain: normalizedDomain,
198
- requestedAt,
199
- expiresAt,
200
- challenge: {
201
- recordType: "TXT",
202
- recordName,
203
- recordValue: token
204
- }
205
- };
206
- },
207
- confirm: async (ctx, args) => {
208
- const enterprise = await loadEnterpriseOrThrow(ctx, args.enterpriseId);
209
- const normalizedDomain = normalizeDomain(args.domain);
210
- const domain = (await ctx.runQuery(config.component.public.enterpriseDomainList, { enterpriseId: enterprise._id })).find((entry) => entry.domain === normalizedDomain);
211
- if (!domain) throw Cv.error({
212
- code: "INVALID_PARAMETERS",
213
- message: "Domain is not attached to this enterprise."
214
- });
215
- if (domain.verifiedAt !== void 0) return {
216
- ok: true,
217
- enterpriseId: enterprise._id,
218
- domain: normalizedDomain,
219
- verifiedAt: domain.verifiedAt,
220
- checks: [{
221
- name: "domain_verified",
222
- ok: true,
223
- message: "Domain is already verified."
224
- }]
225
- };
226
- const verification = await ctx.runQuery(config.component.public.enterpriseDomainVerificationGet, { domainId: domain._id });
227
- const checks = [];
228
- if (!verification) {
229
- checks.push({
230
- name: "verification_requested",
231
- ok: false,
232
- message: "No active domain verification challenge exists."
233
- });
234
- return {
235
- ok: false,
236
- enterpriseId: enterprise._id,
237
- domain: normalizedDomain,
238
- checks
239
- };
240
- }
241
- checks.push({
242
- name: "verification_requested",
243
- ok: true
244
- });
245
- if (verification.expiresAt < Date.now()) {
246
- await ctx.runMutation(config.component.public.enterpriseDomainVerificationDelete, { domainId: domain._id });
247
- checks.push({
248
- name: "challenge_active",
249
- ok: false,
250
- message: "The verification challenge expired. Request a new one."
251
- });
252
- return {
253
- ok: false,
254
- enterpriseId: enterprise._id,
255
- domain: normalizedDomain,
256
- checks
257
- };
258
- }
259
- checks.push({
260
- name: "challenge_active",
261
- ok: true
262
- });
263
- let txtValues;
264
- try {
265
- txtValues = await resolveTxtValues(verification.recordName);
266
- } catch (error) {
267
- throw Cv.error({
268
- code: "INTERNAL_ERROR",
269
- message: error instanceof Error ? error.message : "Failed to resolve DNS TXT records."
270
- });
271
- }
272
- checks.push({
273
- name: "dns_record_present",
274
- ok: txtValues.length > 0,
275
- message: txtValues.length > 0 ? void 0 : `No TXT records found at ${verification.recordName}.`
276
- });
277
- const matches = txtValues.includes(verification.token);
278
- checks.push({
279
- name: "dns_record_matches",
280
- ok: matches,
281
- message: matches ? void 0 : `TXT record at ${verification.recordName} does not match the expected value.`
282
- });
283
- if (!checks.every((check) => check.ok)) return {
284
- ok: false,
285
- enterpriseId: enterprise._id,
286
- domain: normalizedDomain,
287
- checks
288
- };
289
- const verifiedAt = Date.now();
290
- await ctx.runMutation(config.component.public.enterpriseDomainVerify, {
291
- domainId: domain._id,
292
- verifiedAt
293
- });
294
- await recordEnterpriseAuditEvent(ctx, {
295
- enterpriseId: enterprise._id,
296
- groupId: enterprise.groupId,
297
- eventType: "enterprise.domain.verified",
298
- actorType: "system",
299
- subjectType: "enterprise_domain",
300
- subjectId: domain._id,
301
- ok: true,
302
- metadata: {
303
- domain: normalizedDomain,
304
- verifiedAt
305
- }
306
- });
307
- return {
308
- ok: true,
309
- enterpriseId: enterprise._id,
310
- domain: normalizedDomain,
311
- verifiedAt,
312
- checks
313
- };
314
- }
315
- }
316
- },
317
- saml: {
318
- configure: async (ctx, data) => {
319
- return await Fx.run(Fx.gen(function* () {
320
- const enterprise = yield* Fx.from({
321
- ok: () => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId }),
322
- err: () => Cv.error({
323
- code: "INTERNAL_ERROR",
324
- message: "Failed to load enterprise."
325
- })
326
- }).pipe(Fx.chain((ent) => ent === null ? Cv.fail({
327
- code: "INVALID_PARAMETERS",
328
- message: enterpriseNotFoundError
329
- }) : Fx.succeed(ent)));
330
- const metadataXml = yield* data.metadataXml ? Fx.succeed(data.metadataXml) : data.metadataUrl ? Fx.defer(() => Fx.from({
331
- ok: async () => {
332
- const response = await fetch(data.metadataUrl);
333
- if (!response.ok) throw new Error(`Failed to fetch SAML metadata: ${response.status}`);
334
- return await response.text();
335
- },
336
- err: (error) => Cv.error({
337
- code: "INVALID_PARAMETERS",
338
- message: error instanceof Error ? error.message : "Failed to fetch SAML metadata"
339
- })
340
- })).pipe(Fx.timeout(1e4), Fx.retry(Fx.retry.compose(Fx.retry.jittered(Fx.retry.exponential(200)), Fx.retry.recurs(2))), Fx.recover((error) => Cv.fail({
341
- code: "INVALID_PARAMETERS",
342
- message: error instanceof Error ? error.message : "Failed to fetch SAML metadata"
343
- }))) : Cv.fail({
344
- code: "INVALID_PARAMETERS",
345
- message: "SAML registration requires metadataXml or metadataUrl."
346
- });
347
- const parsed = yield* Fx.from({
348
- ok: () => parseSamlIdpMetadata(metadataXml),
349
- err: () => Cv.error({
350
- code: "INVALID_PARAMETERS",
351
- message: "Failed to parse SAML metadata."
352
- })
353
- });
354
- const baseConfig = upsertProtocolConfig(enterprise.config, "saml", {
355
- enabled: true,
356
- idp: {
357
- metadataXml,
358
- ...parsed
359
- },
360
- sp: data.sp,
361
- signAuthnRequests: data.signAuthnRequests ?? parsed.wantsSignedAuthnRequests,
362
- attributeMapping: data.attributeMapping
363
- });
364
- const normalizedDomains = data.domains?.map(normalizeDomain);
365
- const nextConfig = normalizedDomains ? {
366
- ...baseConfig,
367
- domains: normalizedDomains
368
- } : baseConfig;
369
- yield* Fx.from({
370
- ok: () => ctx.runMutation(config.component.public.enterpriseUpdate, {
371
- enterpriseId: enterprise._id,
372
- data: {
373
- status: "active",
374
- config: nextConfig
375
- }
376
- }),
377
- err: () => Cv.error({
378
- code: "INTERNAL_ERROR",
379
- message: "Failed to persist SAML registration."
380
- })
381
- });
382
- if (normalizedDomains) for (const [index, domain] of normalizedDomains.entries()) yield* Fx.from({
383
- ok: () => ctx.runMutation(config.component.public.enterpriseDomainAdd, {
384
- enterpriseId: enterprise._id,
385
- groupId: enterprise.groupId,
386
- domain,
387
- isPrimary: index === 0
388
- }),
389
- err: () => Cv.error({
390
- code: "INTERNAL_ERROR",
391
- message: "Failed to persist enterprise domain."
392
- })
393
- });
394
- yield* Fx.from({
395
- ok: () => recordEnterpriseAuditEvent(ctx, {
396
- enterpriseId: enterprise._id,
397
- groupId: enterprise.groupId,
398
- eventType: "enterprise.saml.registered",
399
- actorType: "system",
400
- subjectType: "enterprise_saml",
401
- subjectId: enterprise._id,
402
- ok: true,
403
- metadata: {
404
- metadataUrl: data.metadataUrl,
405
- domains: normalizedDomains
406
- }
407
- }),
408
- err: () => Cv.error({
409
- code: "INTERNAL_ERROR",
410
- message: "Failed to record SAML registration audit event."
411
- })
412
- });
413
- return {
414
- enterpriseId: enterprise._id,
415
- groupId: enterprise.groupId
416
- };
417
- }).pipe(Fx.recover((e) => Fx.fatal(e))));
418
- },
419
- metadata: async (ctx, opts) => {
420
- const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: opts.enterpriseId });
421
- if (!enterprise) throw Cv.error({
422
- code: "INVALID_PARAMETERS",
423
- message: "Enterprise not found."
424
- });
425
- return createServiceProviderMetadata(getSamlServiceProviderOptions({
426
- rootUrl: requireEnv("CONVEX_SITE_URL"),
427
- source: {
428
- kind: "enterprise",
429
- id: enterprise._id
430
- },
431
- config: enterprise.config,
432
- overrides: {
433
- entityId: opts.entityId,
434
- acsUrl: opts.acsUrl,
435
- sloUrl: opts.sloUrl
436
- }
437
- }));
438
- },
439
- validate: async (ctx, enterpriseId) => {
440
- const checks = [];
441
- const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
442
- if (!enterprise) return {
443
- ok: false,
444
- enterpriseId,
445
- checks: [{
446
- name: "enterprise_exists",
447
- ok: false,
448
- message: "Enterprise not found."
449
- }]
450
- };
451
- const samlConfig = enterprise.config?.protocols?.saml;
452
- const samlConfigured = samlConfig?.enabled === true && typeof samlConfig?.idp?.metadataXml === "string";
453
- checks.push({
454
- name: "saml_configured",
455
- ok: samlConfigured,
456
- message: samlConfigured ? void 0 : "SAML is not configured."
457
- });
458
- const hasIdpMetadata = typeof samlConfig?.idp?.metadataXml === "string" && samlConfig.idp.metadataXml.length > 0;
459
- checks.push({
460
- name: "idp_metadata_present",
461
- ok: hasIdpMetadata,
462
- message: hasIdpMetadata ? void 0 : "IdP metadata XML is missing."
463
- });
464
- const hasEntityId = typeof samlConfig?.idp?.entityId === "string" && samlConfig.idp.entityId.length > 0;
465
- checks.push({
466
- name: "idp_entity_id",
467
- ok: hasEntityId,
468
- message: hasEntityId ? void 0 : "IdP entityId could not be parsed from metadata."
469
- });
470
- let spMetadataOk = false;
471
- let spMetadataMessage;
472
- if (samlConfigured) try {
473
- createServiceProviderMetadata(getSamlServiceProviderOptions({
474
- rootUrl: requireEnv("CONVEX_SITE_URL"),
475
- source: {
476
- kind: "enterprise",
477
- id: enterprise._id
478
- },
479
- config: enterprise.config,
480
- overrides: {}
481
- }));
482
- spMetadataOk = true;
483
- } catch (e) {
484
- spMetadataMessage = e instanceof Error ? e.message : "SP metadata generation failed.";
485
- }
486
- else spMetadataMessage = "Skipped — SAML not configured.";
487
- checks.push({
488
- name: "sp_metadata_generates",
489
- ok: spMetadataOk,
490
- message: spMetadataMessage
491
- });
492
- return {
493
- ok: checks.every((c) => c.ok),
494
- enterpriseId: enterprise._id,
495
- checks
496
- };
497
- }
498
- },
499
- policy: {
500
- get: async (ctx, enterpriseId) => {
501
- return getPolicyFromEnterprise(await loadEnterpriseOrThrow(ctx, enterpriseId));
502
- },
503
- update: async (ctx, enterpriseId, patch) => {
504
- const enterprise = await loadEnterpriseOrThrow(ctx, enterpriseId);
505
- const policy = patchEnterprisePolicy(enterprise.policy, patch);
506
- await ctx.runMutation(config.component.public.enterpriseUpdate, {
507
- enterpriseId,
508
- data: { policy }
509
- });
510
- await recordEnterpriseAuditEvent(ctx, {
511
- enterpriseId: enterprise._id,
512
- groupId: enterprise.groupId,
513
- eventType: "enterprise.policy.updated",
514
- actorType: "system",
515
- subjectType: "enterprise_policy",
516
- subjectId: enterprise._id,
517
- ok: true,
518
- metadata: { version: policy.version }
519
- });
520
- return policy;
521
- },
522
- validate: async (ctx, enterpriseId) => {
523
- const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
524
- if (!enterprise) return {
525
- ok: false,
526
- enterpriseId,
527
- checks: [{
528
- name: "enterprise_exists",
529
- ok: false,
530
- message: enterpriseNotFoundError
531
- }]
532
- };
533
- const policy = getPolicyFromEnterprise(enterprise);
534
- const checks = validateEnterprisePolicy(policy);
535
- return {
536
- ok: checks.every((check) => check.ok),
537
- enterpriseId,
538
- policy,
539
- checks
540
- };
541
- }
542
- },
543
- oidc: {
544
- configure: async (ctx, data) => {
545
- return await Fx.run(Fx.gen(function* () {
546
- yield* Fx.guard(data.issuer === void 0 && data.discoveryUrl === void 0, Cv.fail({
547
- code: "INVALID_PARAMETERS",
548
- message: "OIDC registration requires issuer or discoveryUrl."
549
- }));
550
- const enterprise = yield* Fx.from({
551
- ok: () => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId }),
552
- err: () => Cv.error({
553
- code: "INTERNAL_ERROR",
554
- message: "Failed to load enterprise."
555
- })
556
- }).pipe(Fx.chain((ent) => ent === null ? Cv.fail({
557
- code: "INVALID_PARAMETERS",
558
- message: enterpriseNotFoundError
559
- }) : Fx.succeed(ent)));
560
- const nextConfig = upsertProtocolConfig(enterprise.config, "oidc", {
561
- enabled: true,
562
- issuer: data.issuer,
563
- discoveryUrl: data.discoveryUrl,
564
- clientId: data.clientId,
565
- scopes: data.scopes ?? [
566
- "openid",
567
- "profile",
568
- "email"
569
- ],
570
- authorizationParams: data.authorizationParams,
571
- clockToleranceSeconds: data.clockToleranceSeconds,
572
- strictIssuer: data.strictIssuer,
573
- extraFields: data.extraFields
574
- });
575
- yield* Fx.from({
576
- ok: () => ctx.runMutation(config.component.public.enterpriseUpdate, {
577
- enterpriseId: data.enterpriseId,
578
- data: { config: nextConfig }
579
- }),
580
- err: () => Cv.error({
581
- code: "INTERNAL_ERROR",
582
- message: "Failed to persist OIDC registration."
583
- })
584
- });
585
- if (data.clientSecret !== void 0) {
586
- const ciphertext = yield* Fx.from({
587
- ok: () => encryptSecret(data.clientSecret),
588
- err: () => Cv.error({
589
- code: "INTERNAL_ERROR",
590
- message: "Failed to encrypt OIDC client secret."
591
- })
592
- });
593
- yield* Fx.from({
594
- ok: () => ctx.runMutation(config.component.public.enterpriseSecretUpsert, {
595
- enterpriseId: data.enterpriseId,
596
- groupId: enterprise.groupId,
597
- kind: ENTERPRISE_OIDC_CLIENT_SECRET_KIND,
598
- ciphertext,
599
- updatedAt: Date.now()
600
- }),
601
- err: () => Cv.error({
602
- code: "INTERNAL_ERROR",
603
- message: "Failed to persist OIDC client secret."
604
- })
605
- });
606
- }
607
- yield* Fx.from({
608
- ok: () => recordEnterpriseAuditEvent(ctx, {
609
- enterpriseId: data.enterpriseId,
610
- groupId: enterprise.groupId,
611
- eventType: "enterprise.oidc.registered",
612
- actorType: "system",
613
- subjectType: "enterprise_oidc",
614
- subjectId: data.enterpriseId,
615
- ok: true,
616
- metadata: {
617
- issuer: data.issuer,
618
- discoveryUrl: data.discoveryUrl
619
- }
620
- }),
621
- err: () => Cv.error({
622
- code: "INTERNAL_ERROR",
623
- message: "Failed to record OIDC registration audit event."
624
- })
625
- });
626
- const secret = yield* Fx.from({
627
- ok: () => getEnterpriseSecret(ctx, data.enterpriseId, ENTERPRISE_OIDC_CLIENT_SECRET_KIND),
628
- err: () => Cv.error({
629
- code: "INTERNAL_ERROR",
630
- message: "Failed to load OIDC secret metadata."
631
- })
632
- });
633
- return withOidcSecretState(getPublicOidcConfig(nextConfig), secret !== null);
634
- }).pipe(Fx.recover((e) => Fx.fatal(e))));
635
- },
636
- get: async (ctx, enterpriseId) => {
637
- return await Fx.run(Fx.from({
638
- ok: () => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId }),
639
- err: () => Cv.error({
640
- code: "INTERNAL_ERROR",
641
- message: "Failed to load enterprise."
642
- })
643
- }).pipe(Fx.chain((ent) => ent === null ? Cv.fail({
644
- code: "INVALID_PARAMETERS",
645
- message: enterpriseNotFoundError
646
- }) : Fx.succeed(ent)), Fx.chain((enterprise) => Fx.from({
647
- ok: async () => {
648
- const secret = await getEnterpriseSecret(ctx, enterprise._id, ENTERPRISE_OIDC_CLIENT_SECRET_KIND);
649
- return withOidcSecretState(getPublicOidcConfig(enterprise.config), secret !== null);
650
- },
651
- err: () => Cv.error({
652
- code: "INTERNAL_ERROR",
653
- message: "Failed to load OIDC secret metadata."
654
- })
655
- })), Fx.recover((e) => Fx.fatal(e))));
656
- },
657
- signIn: async (ctx, data) => {
658
- return await Fx.run(Fx.gen(function* () {
659
- const enterprise = data.enterpriseId !== void 0 ? yield* Fx.from({
660
- ok: () => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId }),
661
- err: () => Cv.error({
662
- code: "INTERNAL_ERROR",
663
- message: "Failed to load enterprise."
664
- })
665
- }).pipe(Fx.chain((ent) => ent === null ? Cv.fail({
666
- code: "INVALID_PARAMETERS",
667
- message: enterpriseNotFoundError
668
- }) : Fx.succeed(ent))) : data.domain !== void 0 || data.email !== void 0 ? yield* Fx.from({
669
- ok: () => ctx.runQuery(config.component.public.enterpriseGetByDomain, { domain: normalizeDomain(data.domain ?? String(data.email).split("@").pop() ?? "") }),
670
- err: () => Cv.error({
671
- code: "INTERNAL_ERROR",
672
- message: "Failed to resolve enterprise by domain."
673
- })
674
- }).pipe(Fx.chain((result) => result?.enterprise && result.domain?.verifiedAt !== void 0 ? Fx.succeed(result.enterprise) : Cv.fail({
675
- code: "INVALID_PARAMETERS",
676
- message: "No enterprise OIDC connection matched the provided input."
677
- }))) : yield* Cv.fail({
678
- code: "INVALID_PARAMETERS",
679
- message: "No enterprise OIDC connection matched the provided input."
680
- });
681
- yield* Fx.guard(enterprise.status !== "active", Cv.fail({
682
- code: "INVALID_PARAMETERS",
683
- message: "Enterprise connection is not active."
684
- }));
685
- const oidc = getOidcConfig(enterprise.config);
686
- yield* Fx.guard(oidc.enabled !== true, Cv.fail({
687
- code: "PROVIDER_NOT_CONFIGURED",
688
- message: "OIDC is not configured for this enterprise."
689
- }));
690
- const urls = getEnterpriseOidcUrls({
691
- rootUrl: requireEnv("CONVEX_SITE_URL"),
692
- enterpriseId: enterprise._id
693
- });
694
- return {
695
- enterpriseId: enterprise._id,
696
- providerId: enterpriseOidcProviderId(enterprise._id),
697
- signInPath: urls.signInUrl,
698
- callbackPath: urls.callbackUrl,
699
- redirectTo: data.redirectTo
700
- };
701
- }).pipe(Fx.recover((e) => Fx.fatal(e))));
702
- },
703
- validate: async (ctx, enterpriseId) => {
704
- const checks = [];
705
- const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
706
- if (!enterprise) return {
707
- ok: false,
708
- enterpriseId,
709
- checks: [{
710
- name: "enterprise_exists",
711
- ok: false,
712
- message: "Enterprise not found."
713
- }]
714
- };
715
- const oidc = getOidcConfig(enterprise.config);
716
- const secret = await getEnterpriseSecret(ctx, enterprise._id, ENTERPRISE_OIDC_CLIENT_SECRET_KIND);
717
- const oidcConfigured = oidc.enabled === true && typeof oidc.clientId === "string" && oidc.clientId.length > 0;
718
- checks.push({
719
- name: "oidc_configured",
720
- ok: oidcConfigured,
721
- message: oidcConfigured ? void 0 : "OIDC is not configured."
722
- });
723
- const hasClientId = typeof oidc.clientId === "string" && oidc.clientId.length > 0;
724
- checks.push({
725
- name: "client_id_present",
726
- ok: hasClientId,
727
- message: hasClientId ? void 0 : "clientId is missing."
728
- });
729
- checks.push({
730
- name: "client_secret_stored",
731
- ok: secret !== null,
732
- message: secret !== null ? void 0 : "OIDC client secret is missing."
733
- });
734
- const discoveryTarget = oidc.discoveryUrl ?? oidc.issuer;
735
- const hasDiscovery = typeof discoveryTarget === "string" && discoveryTarget.length > 0;
736
- checks.push({
737
- name: "issuer_or_discovery_url_present",
738
- ok: hasDiscovery,
739
- message: hasDiscovery ? void 0 : "issuer or discoveryUrl is missing."
740
- });
741
- let discoveryOk = false;
742
- let discoveryMessage;
743
- if (hasDiscovery) {
744
- const discoveryUrl = oidc.discoveryUrl?.length ? oidc.discoveryUrl : `${oidc.issuer}/.well-known/openid-configuration`;
745
- try {
746
- const res = await fetch(discoveryUrl, {
747
- headers: { Accept: "application/json" },
748
- signal: AbortSignal.timeout(8e3)
749
- });
750
- if (!res.ok) discoveryMessage = `Discovery endpoint returned ${res.status}.`;
751
- else {
752
- const json = await res.json();
753
- if (typeof json.issuer !== "string") discoveryMessage = "Discovery document is missing issuer field.";
754
- else if (typeof json.authorization_endpoint !== "string") discoveryMessage = "Discovery document is missing authorization_endpoint.";
755
- else discoveryOk = true;
756
- }
757
- } catch (e) {
758
- discoveryMessage = e instanceof Error ? `Discovery fetch failed: ${e.message}` : "Discovery fetch failed.";
759
- }
760
- } else discoveryMessage = "Skipped — issuer or discoveryUrl not set.";
761
- checks.push({
762
- name: "discovery_reachable",
763
- ok: discoveryOk,
764
- message: discoveryMessage
765
- });
766
- return {
767
- ok: checks.every((c) => c.ok),
768
- enterpriseId: enterprise._id,
769
- checks
770
- };
771
- }
772
- },
773
- scim: {
774
- configure: async (ctx, data) => {
775
- const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId });
776
- if (enterprise === null) throw Cv.error({
777
- code: "INVALID_PARAMETERS",
778
- message: "Enterprise not found."
779
- });
780
- const rawToken = generateRandomString(48, INVITE_TOKEN_ALPHABET);
781
- const tokenHash = await sha256(rawToken);
782
- const configId = await ctx.runMutation(config.component.public.enterpriseScimConfigUpsert, {
783
- enterpriseId: enterprise._id,
784
- groupId: enterprise.groupId,
785
- status: data.status ?? "active",
786
- basePath: data.basePath ?? `${requireEnv("CONVEX_SITE_URL")}/api/auth/sso/${enterprise._id}/scim/v2`,
787
- tokenHash,
788
- lastRotatedAt: Date.now()
789
- });
790
- const auditEventId = await recordEnterpriseAuditEvent(ctx, {
791
- enterpriseId: enterprise._id,
792
- groupId: enterprise.groupId,
793
- eventType: "enterprise.scim.configured",
794
- actorType: "system",
795
- subjectType: "enterprise_scim",
796
- subjectId: configId,
797
- ok: true
798
- });
799
- await emitEnterpriseWebhookDeliveries(ctx, {
800
- enterpriseId: enterprise._id,
801
- eventType: "enterprise.scim.configured",
802
- auditEventId,
803
- payload: {
804
- enterpriseId: enterprise._id,
805
- scimConfigId: configId
806
- }
807
- });
808
- return {
809
- enterpriseId: enterprise._id,
810
- configId,
811
- basePath: data.basePath ?? `${requireEnv("CONVEX_SITE_URL")}/api/auth/sso/${enterprise._id}/scim/v2`,
812
- token: rawToken
813
- };
814
- },
815
- get: async (ctx, enterpriseId) => {
816
- return await ctx.runQuery(config.component.public.enterpriseScimConfigGetByEnterprise, { enterpriseId });
817
- },
818
- getConfigByToken: async (ctx, token) => {
819
- return await ctx.runQuery(config.component.public.enterpriseScimConfigGetByTokenHash, { tokenHash: await sha256(token) });
820
- },
821
- validate: async (ctx, enterpriseId) => {
822
- const checks = [];
823
- const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
824
- if (!enterprise) return {
825
- ok: false,
826
- enterpriseId,
827
- checks: [{
828
- name: "enterprise_exists",
829
- ok: false,
830
- message: "Enterprise not found."
831
- }]
832
- };
833
- const policy = getPolicyFromEnterprise(enterprise);
834
- const scimConfig = await ctx.runQuery(config.component.public.enterpriseScimConfigGetByEnterprise, { enterpriseId });
835
- const hasConfig = scimConfig !== null && scimConfig !== void 0;
836
- checks.push({
837
- name: "scim_config_exists",
838
- ok: hasConfig,
839
- message: hasConfig ? void 0 : "SCIM has not been configured."
840
- });
841
- const isActive = hasConfig && scimConfig.status === "active";
842
- checks.push({
843
- name: "scim_config_active",
844
- ok: isActive,
845
- message: isActive ? void 0 : `SCIM config status is ${hasConfig ? scimConfig.status : "unknown"}.`
846
- });
847
- const hasToken = hasConfig && typeof scimConfig.tokenHash === "string" && scimConfig.tokenHash.length > 0;
848
- checks.push({
849
- name: "token_hash_set",
850
- ok: hasToken,
851
- message: hasToken ? void 0 : "SCIM bearer token has not been set."
852
- });
853
- const hasBasePath = hasConfig && typeof scimConfig.basePath === "string" && scimConfig.basePath.length > 0;
854
- checks.push({
855
- name: "base_path_set",
856
- ok: hasBasePath,
857
- message: hasBasePath ? void 0 : "SCIM basePath is missing."
858
- });
859
- return {
860
- ok: checks.every((c) => c.ok),
861
- enterpriseId: enterprise._id,
862
- basePath: hasBasePath ? scimConfig.basePath : null,
863
- deprovisionMode: policy.provisioning.deprovision.mode,
864
- checks
865
- };
866
- },
867
- identity: {
868
- get: async (ctx, data) => {
869
- return await ctx.runQuery(config.component.public.enterpriseScimIdentityGet, data);
870
- },
871
- upsert: async (ctx, data) => {
872
- return await ctx.runMutation(config.component.public.enterpriseScimIdentityUpsert, {
873
- ...data,
874
- lastProvisionedAt: Date.now()
875
- });
876
- }
877
- }
878
- },
879
- audit: {
880
- record: async (ctx, data) => {
881
- return await recordEnterpriseAuditEvent(ctx, data);
882
- },
883
- list: async (ctx, data) => {
884
- return await ctx.runQuery(config.component.public.enterpriseAuditEventList, data);
885
- }
886
- },
887
- webhook: {
888
- endpoint: {
889
- get: async (ctx, endpointId) => {
890
- return await ctx.runQuery(config.component.public.enterpriseWebhookEndpointGet, { endpointId });
891
- },
892
- create: async (ctx, data) => {
893
- const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId });
894
- if (enterprise === null) throw Cv.error({
895
- code: "INVALID_PARAMETERS",
896
- message: "Enterprise not found."
897
- });
898
- const secretHash = await sha256(data.secret);
899
- const endpointId = await ctx.runMutation(config.component.public.enterpriseWebhookEndpointCreate, {
900
- enterpriseId: enterprise._id,
901
- groupId: enterprise.groupId,
902
- url: data.url,
903
- secretHash,
904
- subscriptions: data.subscriptions,
905
- createdByUserId: data.createdByUserId
906
- });
907
- await recordEnterpriseAuditEvent(ctx, {
908
- enterpriseId: enterprise._id,
909
- groupId: enterprise.groupId,
910
- eventType: "enterprise.webhook.endpoint.created",
911
- actorType: data.createdByUserId ? "user" : "system",
912
- actorId: data.createdByUserId,
913
- subjectType: "enterprise_webhook_endpoint",
914
- subjectId: endpointId,
915
- ok: true
916
- });
917
- return { endpointId };
918
- },
919
- list: async (ctx, enterpriseId) => {
920
- return await ctx.runQuery(config.component.public.enterpriseWebhookEndpointList, { enterpriseId });
921
- },
922
- disable: async (ctx, endpointId) => {
923
- await ctx.runMutation(config.component.public.enterpriseWebhookEndpointUpdate, {
924
- endpointId,
925
- data: { status: "disabled" }
926
- });
927
- return { endpointId };
928
- }
929
- },
930
- emit: async (ctx, data) => {
931
- await emitEnterpriseWebhookDeliveries(ctx, data);
932
- },
933
- delivery: {
934
- list: async (ctx, data) => {
935
- return await ctx.runQuery(config.component.public.enterpriseWebhookDeliveryList, data);
936
- },
937
- listReady: async (ctx, limit) => {
938
- return await ctx.runQuery(config.component.public.enterpriseWebhookDeliveryListReady, {
939
- now: Date.now(),
940
- limit
941
- });
942
- },
943
- markDelivered: async (ctx, deliveryId, responseStatus) => {
944
- await ctx.runMutation(config.component.public.enterpriseWebhookDeliveryPatch, {
945
- deliveryId,
946
- data: {
947
- status: "delivered",
948
- attemptCount: 1,
949
- lastAttemptAt: Date.now(),
950
- lastResponseStatus: responseStatus
951
- }
952
- });
953
- },
954
- markFailed: async (ctx, deliveryId, data) => {
955
- await ctx.runMutation(config.component.public.enterpriseWebhookDeliveryPatch, {
956
- deliveryId,
957
- data: {
958
- status: data.retryAt ? "pending" : "failed",
959
- attemptCount: data.attemptCount,
960
- lastAttemptAt: Date.now(),
961
- lastResponseStatus: data.responseStatus,
962
- lastError: data.error,
963
- nextAttemptAt: data.retryAt ?? Date.now()
964
- }
965
- });
966
- }
967
- }
968
- }
969
- };
970
- }
971
-
972
- //#endregion
973
- export { createEnterpriseDomain };
974
- //# sourceMappingURL=domain.js.map