@robelest/convex-auth 0.0.4-preview.25 → 0.0.4-preview.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (666) hide show
  1. package/README.md +43 -36
  2. package/dist/bin.js +5765 -4880
  3. package/dist/browser/index.d.ts +30 -0
  4. package/dist/browser/index.js +93 -0
  5. package/dist/browser/locks.js +11 -0
  6. package/dist/browser/navigation.js +14 -0
  7. package/dist/{factors → browser}/passkey.js +23 -32
  8. package/dist/browser/runtime.js +92 -0
  9. package/dist/client/core/types.d.ts +452 -5
  10. package/dist/client/core/types.js +17 -0
  11. package/dist/client/errors.js +19 -0
  12. package/dist/client/factors/device.js +94 -0
  13. package/dist/{factors → client/factors}/totp.js +12 -4
  14. package/dist/client/index.d.ts +47 -1
  15. package/dist/client/index.js +269 -232
  16. package/dist/client/runtime/mutex.js +24 -0
  17. package/dist/client/runtime/proxy.js +30 -0
  18. package/dist/client/runtime/storage.js +45 -0
  19. package/dist/client/services/adapters.js +7 -0
  20. package/dist/client/services/http.js +6 -0
  21. package/dist/client/services/resolve.js +13 -0
  22. package/dist/client/services/runtime.js +6 -0
  23. package/dist/component/_generated/component.d.ts +1355 -1399
  24. package/dist/component/convex.config.d.ts +2 -2
  25. package/dist/component/index.d.ts +4 -26
  26. package/dist/component/index.js +1 -1
  27. package/dist/component/model.d.ts +26 -112
  28. package/dist/component/model.js +76 -54
  29. package/dist/component/modules.js +38 -0
  30. package/dist/component/public/factors/devices.js +1 -1
  31. package/dist/component/public/factors/passkeys.js +1 -1
  32. package/dist/component/public/factors/totp.js +1 -1
  33. package/dist/component/public/groups/core.js +2 -2
  34. package/dist/component/public/groups/invites.js +1 -1
  35. package/dist/component/public/groups/members.js +1 -1
  36. package/dist/component/public/identity/accounts.js +1 -1
  37. package/dist/component/public/identity/codes.js +1 -1
  38. package/dist/component/public/identity/sessions.js +39 -2
  39. package/dist/component/public/identity/tokens.js +82 -4
  40. package/dist/component/public/identity/users.js +1 -1
  41. package/dist/component/public/identity/verifiers.js +10 -4
  42. package/dist/component/public/security/keys.js +1 -1
  43. package/dist/component/public/security/limits.js +1 -1
  44. package/dist/component/public/{enterprise → sso}/audit.js +26 -26
  45. package/dist/component/public/sso/core.js +263 -0
  46. package/dist/component/public/sso/domains.js +280 -0
  47. package/dist/component/public/{enterprise → sso}/scim.js +87 -87
  48. package/dist/component/public/sso/secrets.js +125 -0
  49. package/dist/component/public/{enterprise → sso}/webhooks.js +59 -59
  50. package/dist/component/public.js +9 -9
  51. package/dist/component/schema.d.ts +472 -393
  52. package/dist/component/schema.js +36 -35
  53. package/dist/core/index.d.ts +380 -0
  54. package/dist/core/index.js +83 -0
  55. package/dist/otel.d.ts +69 -0
  56. package/dist/otel.js +82 -0
  57. package/dist/providers/anonymous.d.ts +15 -34
  58. package/dist/providers/anonymous.js +27 -35
  59. package/dist/providers/apple.d.ts +59 -0
  60. package/dist/providers/apple.js +58 -0
  61. package/dist/providers/credentials.d.ts +18 -34
  62. package/dist/providers/credentials.js +16 -27
  63. package/dist/providers/custom.d.ts +94 -0
  64. package/dist/providers/custom.js +119 -0
  65. package/dist/providers/device.d.ts +15 -49
  66. package/dist/providers/device.js +17 -34
  67. package/dist/providers/email.d.ts +21 -38
  68. package/dist/providers/email.js +36 -55
  69. package/dist/providers/github.d.ts +54 -0
  70. package/dist/providers/github.js +75 -0
  71. package/dist/providers/google.d.ts +54 -0
  72. package/dist/providers/google.js +61 -0
  73. package/dist/providers/index.d.ts +16 -12
  74. package/dist/providers/index.js +15 -11
  75. package/dist/providers/microsoft.d.ts +57 -0
  76. package/dist/providers/microsoft.js +101 -0
  77. package/dist/providers/passkey.d.ts +19 -35
  78. package/dist/providers/passkey.js +20 -30
  79. package/dist/providers/password.d.ts +17 -18
  80. package/dist/providers/password.js +121 -143
  81. package/dist/providers/phone.d.ts +13 -28
  82. package/dist/providers/phone.js +21 -46
  83. package/dist/providers/sso.d.ts +16 -36
  84. package/dist/providers/sso.js +21 -22
  85. package/dist/providers/totp.d.ts +13 -29
  86. package/dist/providers/totp.js +17 -27
  87. package/dist/server/auth-context.d.ts +204 -0
  88. package/dist/server/auth-context.js +76 -0
  89. package/dist/server/auth.d.ts +99 -244
  90. package/dist/server/auth.js +56 -152
  91. package/dist/server/componentContext.d.ts +12 -0
  92. package/dist/server/componentContext.js +1 -0
  93. package/dist/server/config.js +6 -67
  94. package/dist/server/constants.js +6 -0
  95. package/dist/server/contract.d.ts +105 -0
  96. package/dist/server/contract.js +43 -0
  97. package/dist/server/cookies.js +3 -2
  98. package/dist/server/core.js +31 -36
  99. package/dist/server/crypto.js +34 -44
  100. package/dist/server/db.js +6 -1
  101. package/dist/server/device.js +96 -130
  102. package/dist/server/env.js +48 -0
  103. package/dist/server/errors.js +20 -0
  104. package/dist/server/http.d.ts +15 -59
  105. package/dist/server/http.js +136 -120
  106. package/dist/server/identity.js +2 -2
  107. package/dist/server/index.d.ts +5 -4
  108. package/dist/server/index.js +3 -3
  109. package/dist/server/keys.js +10 -1
  110. package/dist/server/limits.js +26 -26
  111. package/dist/server/log.js +28 -0
  112. package/dist/server/mounts.d.ts +1107 -296
  113. package/dist/server/mounts.js +315 -196
  114. package/dist/server/mutations/account.js +11 -14
  115. package/dist/server/mutations/code.js +6 -5
  116. package/dist/server/mutations/invalidate.js +9 -11
  117. package/dist/server/mutations/oauth.js +112 -73
  118. package/dist/server/mutations/refresh.js +47 -97
  119. package/dist/server/mutations/register.js +37 -35
  120. package/dist/server/mutations/retrieve.js +16 -16
  121. package/dist/server/mutations/signature.js +15 -18
  122. package/dist/server/mutations/signin.js +10 -5
  123. package/dist/server/mutations/signout.js +11 -14
  124. package/dist/server/mutations/store.js +25 -18
  125. package/dist/server/mutations/verifier.js +11 -8
  126. package/dist/server/mutations/verify.js +53 -41
  127. package/dist/server/oauth/factory.js +44 -0
  128. package/dist/server/oauth/index.js +12 -0
  129. package/dist/server/oauth/runtime.js +248 -0
  130. package/dist/server/passkey.js +331 -365
  131. package/dist/server/payloads.d.ts +16 -0
  132. package/dist/server/payloads.js +30 -0
  133. package/dist/server/{ssr.d.ts → prefetch.d.ts} +2 -2
  134. package/dist/server/prefetch.js +635 -0
  135. package/dist/server/random.js +19 -0
  136. package/dist/server/redirects.js +10 -5
  137. package/dist/server/refresh.js +14 -86
  138. package/dist/server/runtime.d.ts +531 -31
  139. package/dist/server/runtime.js +106 -267
  140. package/dist/server/secret.js +44 -0
  141. package/dist/server/services/config.js +10 -0
  142. package/dist/server/services/group.js +211 -0
  143. package/dist/server/services/logger.js +8 -0
  144. package/dist/server/services/providers.js +22 -0
  145. package/dist/server/services/refresh.js +8 -0
  146. package/dist/server/services/resolve.js +27 -0
  147. package/dist/server/services/signin.js +8 -0
  148. package/dist/server/sessions.js +35 -34
  149. package/dist/server/signin.js +229 -140
  150. package/dist/server/{enterprise → sso}/config.js +10 -3
  151. package/dist/server/sso/domain.d.ts +614 -0
  152. package/dist/server/sso/domain.js +1175 -0
  153. package/dist/server/sso/http.js +1060 -0
  154. package/dist/server/sso/oidc.js +324 -0
  155. package/dist/server/sso/policies.js +59 -0
  156. package/dist/server/sso/policy.js +139 -0
  157. package/dist/server/sso/profile.js +22 -0
  158. package/dist/server/sso/provision.js +179 -0
  159. package/dist/{component/server/enterprise → server/sso}/saml.js +142 -56
  160. package/dist/{component/server/enterprise → server/sso}/scim.js +13 -7
  161. package/dist/server/sso/shared.js +74 -0
  162. package/dist/server/sso/validators.js +88 -0
  163. package/dist/server/sso/webhook.js +94 -0
  164. package/dist/server/tokens.js +16 -4
  165. package/dist/server/totp.js +155 -164
  166. package/dist/server/types.d.ts +306 -296
  167. package/dist/server/types.js +1 -30
  168. package/dist/server/url.js +32 -0
  169. package/dist/server/users.js +74 -40
  170. package/dist/server/utils/cache.js +51 -0
  171. package/dist/server/utils/dispatch.js +36 -0
  172. package/dist/server/utils/retry.js +24 -0
  173. package/dist/server/utils/span.js +32 -0
  174. package/dist/shared/errors.js +19 -0
  175. package/dist/shared/log.js +45 -0
  176. package/{src/test.ts → dist/test.d.ts} +21 -22
  177. package/dist/test.js +51 -0
  178. package/package.json +70 -42
  179. package/dist/authorization/index.d.ts.map +0 -1
  180. package/dist/authorization/index.js.map +0 -1
  181. package/dist/client/core/types.d.ts.map +0 -1
  182. package/dist/client/index.d.ts.map +0 -1
  183. package/dist/client/index.js.map +0 -1
  184. package/dist/component/_generated/api.d.ts +0 -75
  185. package/dist/component/_generated/api.d.ts.map +0 -1
  186. package/dist/component/_generated/api.js.map +0 -1
  187. package/dist/component/_generated/component.d.ts.map +0 -1
  188. package/dist/component/_generated/dataModel.d.ts +0 -42
  189. package/dist/component/_generated/dataModel.d.ts.map +0 -1
  190. package/dist/component/_generated/server.d.ts +0 -117
  191. package/dist/component/_generated/server.d.ts.map +0 -1
  192. package/dist/component/_generated/server.js.map +0 -1
  193. package/dist/component/_virtual/rolldown_runtime.js +0 -18
  194. package/dist/component/client/core/types.d.ts +0 -2
  195. package/dist/component/client/index.d.ts +0 -1
  196. package/dist/component/convex.config.d.ts.map +0 -1
  197. package/dist/component/convex.config.js.map +0 -1
  198. package/dist/component/functions.d.ts +0 -25
  199. package/dist/component/functions.d.ts.map +0 -1
  200. package/dist/component/functions.js.map +0 -1
  201. package/dist/component/index.d.ts.map +0 -1
  202. package/dist/component/model.d.ts.map +0 -1
  203. package/dist/component/model.js.map +0 -1
  204. package/dist/component/providers/anonymous.d.ts +0 -54
  205. package/dist/component/providers/anonymous.d.ts.map +0 -1
  206. package/dist/component/providers/credentials.d.ts +0 -38
  207. package/dist/component/providers/credentials.d.ts.map +0 -1
  208. package/dist/component/providers/device.d.ts +0 -67
  209. package/dist/component/providers/device.d.ts.map +0 -1
  210. package/dist/component/providers/email.d.ts +0 -62
  211. package/dist/component/providers/email.d.ts.map +0 -1
  212. package/dist/component/providers/oauth.d.ts +0 -25
  213. package/dist/component/providers/oauth.d.ts.map +0 -1
  214. package/dist/component/providers/oauth.js +0 -13
  215. package/dist/component/providers/oauth.js.map +0 -1
  216. package/dist/component/providers/passkey.d.ts +0 -57
  217. package/dist/component/providers/passkey.d.ts.map +0 -1
  218. package/dist/component/providers/password.d.ts +0 -88
  219. package/dist/component/providers/password.d.ts.map +0 -1
  220. package/dist/component/providers/phone.d.ts +0 -48
  221. package/dist/component/providers/phone.d.ts.map +0 -1
  222. package/dist/component/providers/sso.d.ts +0 -50
  223. package/dist/component/providers/sso.d.ts.map +0 -1
  224. package/dist/component/providers/totp.d.ts +0 -45
  225. package/dist/component/providers/totp.d.ts.map +0 -1
  226. package/dist/component/public/enterprise/audit.d.ts +0 -73
  227. package/dist/component/public/enterprise/audit.d.ts.map +0 -1
  228. package/dist/component/public/enterprise/audit.js.map +0 -1
  229. package/dist/component/public/enterprise/core.d.ts +0 -176
  230. package/dist/component/public/enterprise/core.d.ts.map +0 -1
  231. package/dist/component/public/enterprise/core.js +0 -292
  232. package/dist/component/public/enterprise/core.js.map +0 -1
  233. package/dist/component/public/enterprise/domains.d.ts +0 -174
  234. package/dist/component/public/enterprise/domains.d.ts.map +0 -1
  235. package/dist/component/public/enterprise/domains.js +0 -271
  236. package/dist/component/public/enterprise/domains.js.map +0 -1
  237. package/dist/component/public/enterprise/scim.d.ts +0 -245
  238. package/dist/component/public/enterprise/scim.d.ts.map +0 -1
  239. package/dist/component/public/enterprise/scim.js.map +0 -1
  240. package/dist/component/public/enterprise/secrets.d.ts +0 -78
  241. package/dist/component/public/enterprise/secrets.d.ts.map +0 -1
  242. package/dist/component/public/enterprise/secrets.js +0 -118
  243. package/dist/component/public/enterprise/secrets.js.map +0 -1
  244. package/dist/component/public/enterprise/webhooks.d.ts +0 -211
  245. package/dist/component/public/enterprise/webhooks.d.ts.map +0 -1
  246. package/dist/component/public/enterprise/webhooks.js.map +0 -1
  247. package/dist/component/public/factors/devices.d.ts +0 -157
  248. package/dist/component/public/factors/devices.d.ts.map +0 -1
  249. package/dist/component/public/factors/devices.js.map +0 -1
  250. package/dist/component/public/factors/passkeys.d.ts +0 -175
  251. package/dist/component/public/factors/passkeys.d.ts.map +0 -1
  252. package/dist/component/public/factors/passkeys.js.map +0 -1
  253. package/dist/component/public/factors/totp.d.ts +0 -189
  254. package/dist/component/public/factors/totp.d.ts.map +0 -1
  255. package/dist/component/public/factors/totp.js.map +0 -1
  256. package/dist/component/public/groups/core.d.ts +0 -137
  257. package/dist/component/public/groups/core.d.ts.map +0 -1
  258. package/dist/component/public/groups/core.js.map +0 -1
  259. package/dist/component/public/groups/invites.d.ts +0 -217
  260. package/dist/component/public/groups/invites.d.ts.map +0 -1
  261. package/dist/component/public/groups/invites.js.map +0 -1
  262. package/dist/component/public/groups/members.d.ts +0 -204
  263. package/dist/component/public/groups/members.d.ts.map +0 -1
  264. package/dist/component/public/groups/members.js.map +0 -1
  265. package/dist/component/public/identity/accounts.d.ts +0 -147
  266. package/dist/component/public/identity/accounts.d.ts.map +0 -1
  267. package/dist/component/public/identity/accounts.js.map +0 -1
  268. package/dist/component/public/identity/codes.d.ts +0 -104
  269. package/dist/component/public/identity/codes.d.ts.map +0 -1
  270. package/dist/component/public/identity/codes.js.map +0 -1
  271. package/dist/component/public/identity/sessions.d.ts +0 -128
  272. package/dist/component/public/identity/sessions.d.ts.map +0 -1
  273. package/dist/component/public/identity/sessions.js.map +0 -1
  274. package/dist/component/public/identity/tokens.d.ts +0 -169
  275. package/dist/component/public/identity/tokens.d.ts.map +0 -1
  276. package/dist/component/public/identity/tokens.js.map +0 -1
  277. package/dist/component/public/identity/users.d.ts +0 -212
  278. package/dist/component/public/identity/users.d.ts.map +0 -1
  279. package/dist/component/public/identity/users.js.map +0 -1
  280. package/dist/component/public/identity/verifiers.d.ts +0 -116
  281. package/dist/component/public/identity/verifiers.d.ts.map +0 -1
  282. package/dist/component/public/identity/verifiers.js.map +0 -1
  283. package/dist/component/public/security/keys.d.ts +0 -209
  284. package/dist/component/public/security/keys.d.ts.map +0 -1
  285. package/dist/component/public/security/keys.js.map +0 -1
  286. package/dist/component/public/security/limits.d.ts +0 -114
  287. package/dist/component/public/security/limits.d.ts.map +0 -1
  288. package/dist/component/public/security/limits.js.map +0 -1
  289. package/dist/component/public.d.ts +0 -28
  290. package/dist/component/public.d.ts.map +0 -1
  291. package/dist/component/schema.d.ts.map +0 -1
  292. package/dist/component/schema.js.map +0 -1
  293. package/dist/component/server/auth.d.ts +0 -447
  294. package/dist/component/server/auth.d.ts.map +0 -1
  295. package/dist/component/server/auth.js +0 -254
  296. package/dist/component/server/auth.js.map +0 -1
  297. package/dist/component/server/config.js +0 -121
  298. package/dist/component/server/config.js.map +0 -1
  299. package/dist/component/server/context.js +0 -53
  300. package/dist/component/server/context.js.map +0 -1
  301. package/dist/component/server/cookies.js +0 -47
  302. package/dist/component/server/cookies.js.map +0 -1
  303. package/dist/component/server/core.js +0 -576
  304. package/dist/component/server/core.js.map +0 -1
  305. package/dist/component/server/crypto.js +0 -56
  306. package/dist/component/server/crypto.js.map +0 -1
  307. package/dist/component/server/db.js +0 -87
  308. package/dist/component/server/db.js.map +0 -1
  309. package/dist/component/server/device.js +0 -152
  310. package/dist/component/server/device.js.map +0 -1
  311. package/dist/component/server/enterprise/config.js +0 -46
  312. package/dist/component/server/enterprise/config.js.map +0 -1
  313. package/dist/component/server/enterprise/domain.js +0 -974
  314. package/dist/component/server/enterprise/domain.js.map +0 -1
  315. package/dist/component/server/enterprise/http.js +0 -787
  316. package/dist/component/server/enterprise/http.js.map +0 -1
  317. package/dist/component/server/enterprise/oidc.js +0 -248
  318. package/dist/component/server/enterprise/oidc.js.map +0 -1
  319. package/dist/component/server/enterprise/policy.js +0 -85
  320. package/dist/component/server/enterprise/policy.js.map +0 -1
  321. package/dist/component/server/enterprise/saml.js.map +0 -1
  322. package/dist/component/server/enterprise/scim.js.map +0 -1
  323. package/dist/component/server/enterprise/shared.js +0 -51
  324. package/dist/component/server/enterprise/shared.js.map +0 -1
  325. package/dist/component/server/http.d.ts +0 -85
  326. package/dist/component/server/http.d.ts.map +0 -1
  327. package/dist/component/server/http.js +0 -351
  328. package/dist/component/server/http.js.map +0 -1
  329. package/dist/component/server/identity.js +0 -16
  330. package/dist/component/server/identity.js.map +0 -1
  331. package/dist/component/server/keys.js +0 -96
  332. package/dist/component/server/keys.js.map +0 -1
  333. package/dist/component/server/limits.js +0 -52
  334. package/dist/component/server/limits.js.map +0 -1
  335. package/dist/component/server/mutations/account.js +0 -46
  336. package/dist/component/server/mutations/account.js.map +0 -1
  337. package/dist/component/server/mutations/code.js +0 -68
  338. package/dist/component/server/mutations/code.js.map +0 -1
  339. package/dist/component/server/mutations/invalidate.js +0 -32
  340. package/dist/component/server/mutations/invalidate.js.map +0 -1
  341. package/dist/component/server/mutations/oauth.js +0 -116
  342. package/dist/component/server/mutations/oauth.js.map +0 -1
  343. package/dist/component/server/mutations/refresh.js +0 -119
  344. package/dist/component/server/mutations/refresh.js.map +0 -1
  345. package/dist/component/server/mutations/register.js +0 -87
  346. package/dist/component/server/mutations/register.js.map +0 -1
  347. package/dist/component/server/mutations/retrieve.js +0 -61
  348. package/dist/component/server/mutations/retrieve.js.map +0 -1
  349. package/dist/component/server/mutations/signature.js +0 -38
  350. package/dist/component/server/mutations/signature.js.map +0 -1
  351. package/dist/component/server/mutations/signin.js +0 -27
  352. package/dist/component/server/mutations/signin.js.map +0 -1
  353. package/dist/component/server/mutations/signout.js +0 -27
  354. package/dist/component/server/mutations/signout.js.map +0 -1
  355. package/dist/component/server/mutations/store/refs.js +0 -15
  356. package/dist/component/server/mutations/store/refs.js.map +0 -1
  357. package/dist/component/server/mutations/store.js +0 -70
  358. package/dist/component/server/mutations/store.js.map +0 -1
  359. package/dist/component/server/mutations/verifier.js +0 -18
  360. package/dist/component/server/mutations/verifier.js.map +0 -1
  361. package/dist/component/server/mutations/verify.js +0 -98
  362. package/dist/component/server/mutations/verify.js.map +0 -1
  363. package/dist/component/server/oauth.js +0 -242
  364. package/dist/component/server/oauth.js.map +0 -1
  365. package/dist/component/server/passkey.js +0 -415
  366. package/dist/component/server/passkey.js.map +0 -1
  367. package/dist/component/server/redirects.js +0 -40
  368. package/dist/component/server/redirects.js.map +0 -1
  369. package/dist/component/server/refresh.js +0 -99
  370. package/dist/component/server/refresh.js.map +0 -1
  371. package/dist/component/server/runtime.d.ts +0 -136
  372. package/dist/component/server/runtime.d.ts.map +0 -1
  373. package/dist/component/server/runtime.js +0 -456
  374. package/dist/component/server/runtime.js.map +0 -1
  375. package/dist/component/server/sessions.js +0 -71
  376. package/dist/component/server/sessions.js.map +0 -1
  377. package/dist/component/server/signin.js +0 -225
  378. package/dist/component/server/signin.js.map +0 -1
  379. package/dist/component/server/tokens.js +0 -17
  380. package/dist/component/server/tokens.js.map +0 -1
  381. package/dist/component/server/totp.js +0 -208
  382. package/dist/component/server/totp.js.map +0 -1
  383. package/dist/component/server/types.d.ts +0 -949
  384. package/dist/component/server/types.d.ts.map +0 -1
  385. package/dist/component/server/types.js +0 -79
  386. package/dist/component/server/types.js.map +0 -1
  387. package/dist/component/server/users.js +0 -123
  388. package/dist/component/server/users.js.map +0 -1
  389. package/dist/component/server/utils.js +0 -140
  390. package/dist/component/server/utils.js.map +0 -1
  391. package/dist/core/types.d.ts +0 -361
  392. package/dist/core/types.d.ts.map +0 -1
  393. package/dist/factors/device.js +0 -104
  394. package/dist/factors/device.js.map +0 -1
  395. package/dist/factors/passkey.js.map +0 -1
  396. package/dist/factors/totp.js.map +0 -1
  397. package/dist/providers/anonymous.d.ts.map +0 -1
  398. package/dist/providers/anonymous.js.map +0 -1
  399. package/dist/providers/credentials.d.ts.map +0 -1
  400. package/dist/providers/credentials.js.map +0 -1
  401. package/dist/providers/device.d.ts.map +0 -1
  402. package/dist/providers/device.js.map +0 -1
  403. package/dist/providers/email.d.ts.map +0 -1
  404. package/dist/providers/email.js.map +0 -1
  405. package/dist/providers/oauth.d.ts +0 -69
  406. package/dist/providers/oauth.d.ts.map +0 -1
  407. package/dist/providers/oauth.js +0 -43
  408. package/dist/providers/oauth.js.map +0 -1
  409. package/dist/providers/passkey.d.ts.map +0 -1
  410. package/dist/providers/passkey.js.map +0 -1
  411. package/dist/providers/password.d.ts.map +0 -1
  412. package/dist/providers/password.js.map +0 -1
  413. package/dist/providers/phone.d.ts.map +0 -1
  414. package/dist/providers/phone.js.map +0 -1
  415. package/dist/providers/sso.d.ts.map +0 -1
  416. package/dist/providers/sso.js.map +0 -1
  417. package/dist/providers/totp.d.ts.map +0 -1
  418. package/dist/providers/totp.js.map +0 -1
  419. package/dist/runtime/browser.js +0 -68
  420. package/dist/runtime/browser.js.map +0 -1
  421. package/dist/runtime/invite.js.map +0 -1
  422. package/dist/runtime/proxy.js +0 -70
  423. package/dist/runtime/proxy.js.map +0 -1
  424. package/dist/runtime/storage.js +0 -37
  425. package/dist/runtime/storage.js.map +0 -1
  426. package/dist/server/auth.d.ts.map +0 -1
  427. package/dist/server/auth.js.map +0 -1
  428. package/dist/server/config.d.ts +0 -1
  429. package/dist/server/config.js.map +0 -1
  430. package/dist/server/context.d.ts +0 -1
  431. package/dist/server/context.js.map +0 -1
  432. package/dist/server/cookies.d.ts +0 -1
  433. package/dist/server/cookies.js.map +0 -1
  434. package/dist/server/core.d.ts +0 -1315
  435. package/dist/server/core.d.ts.map +0 -1
  436. package/dist/server/core.js.map +0 -1
  437. package/dist/server/crypto.d.ts +0 -8
  438. package/dist/server/crypto.d.ts.map +0 -1
  439. package/dist/server/crypto.js.map +0 -1
  440. package/dist/server/db.d.ts +0 -1
  441. package/dist/server/db.js.map +0 -1
  442. package/dist/server/device.d.ts +0 -1
  443. package/dist/server/device.js.map +0 -1
  444. package/dist/server/enterprise/config.d.ts +0 -1
  445. package/dist/server/enterprise/config.js.map +0 -1
  446. package/dist/server/enterprise/domain.d.ts +0 -401
  447. package/dist/server/enterprise/domain.d.ts.map +0 -1
  448. package/dist/server/enterprise/domain.js +0 -974
  449. package/dist/server/enterprise/domain.js.map +0 -1
  450. package/dist/server/enterprise/http.d.ts +0 -26
  451. package/dist/server/enterprise/http.d.ts.map +0 -1
  452. package/dist/server/enterprise/http.js +0 -787
  453. package/dist/server/enterprise/http.js.map +0 -1
  454. package/dist/server/enterprise/oidc.d.ts +0 -1
  455. package/dist/server/enterprise/oidc.js +0 -248
  456. package/dist/server/enterprise/oidc.js.map +0 -1
  457. package/dist/server/enterprise/policy.d.ts +0 -1
  458. package/dist/server/enterprise/policy.js +0 -85
  459. package/dist/server/enterprise/policy.js.map +0 -1
  460. package/dist/server/enterprise/saml.d.ts +0 -1
  461. package/dist/server/enterprise/saml.js +0 -338
  462. package/dist/server/enterprise/saml.js.map +0 -1
  463. package/dist/server/enterprise/scim.d.ts +0 -1
  464. package/dist/server/enterprise/scim.js +0 -97
  465. package/dist/server/enterprise/scim.js.map +0 -1
  466. package/dist/server/enterprise/shared.d.ts +0 -5
  467. package/dist/server/enterprise/shared.d.ts.map +0 -1
  468. package/dist/server/enterprise/shared.js +0 -51
  469. package/dist/server/enterprise/shared.js.map +0 -1
  470. package/dist/server/enterprise/validators.d.ts +0 -1
  471. package/dist/server/enterprise/validators.js +0 -60
  472. package/dist/server/enterprise/validators.js.map +0 -1
  473. package/dist/server/http.d.ts.map +0 -1
  474. package/dist/server/http.js.map +0 -1
  475. package/dist/server/identity.d.ts +0 -1
  476. package/dist/server/identity.js.map +0 -1
  477. package/dist/server/keys.d.ts +0 -1
  478. package/dist/server/keys.js.map +0 -1
  479. package/dist/server/limits.d.ts +0 -1
  480. package/dist/server/limits.js.map +0 -1
  481. package/dist/server/mounts.d.ts.map +0 -1
  482. package/dist/server/mounts.js.map +0 -1
  483. package/dist/server/mutations/account.d.ts +0 -29
  484. package/dist/server/mutations/account.d.ts.map +0 -1
  485. package/dist/server/mutations/account.js.map +0 -1
  486. package/dist/server/mutations/code.d.ts +0 -30
  487. package/dist/server/mutations/code.d.ts.map +0 -1
  488. package/dist/server/mutations/code.js.map +0 -1
  489. package/dist/server/mutations/index.d.ts +0 -14
  490. package/dist/server/mutations/invalidate.d.ts +0 -20
  491. package/dist/server/mutations/invalidate.d.ts.map +0 -1
  492. package/dist/server/mutations/invalidate.js.map +0 -1
  493. package/dist/server/mutations/oauth.d.ts +0 -30
  494. package/dist/server/mutations/oauth.d.ts.map +0 -1
  495. package/dist/server/mutations/oauth.js.map +0 -1
  496. package/dist/server/mutations/refresh.d.ts +0 -21
  497. package/dist/server/mutations/refresh.d.ts.map +0 -1
  498. package/dist/server/mutations/refresh.js.map +0 -1
  499. package/dist/server/mutations/register.d.ts +0 -38
  500. package/dist/server/mutations/register.d.ts.map +0 -1
  501. package/dist/server/mutations/register.js.map +0 -1
  502. package/dist/server/mutations/retrieve.d.ts +0 -33
  503. package/dist/server/mutations/retrieve.d.ts.map +0 -1
  504. package/dist/server/mutations/retrieve.js.map +0 -1
  505. package/dist/server/mutations/signature.d.ts +0 -21
  506. package/dist/server/mutations/signature.d.ts.map +0 -1
  507. package/dist/server/mutations/signature.js.map +0 -1
  508. package/dist/server/mutations/signin.d.ts +0 -22
  509. package/dist/server/mutations/signin.d.ts.map +0 -1
  510. package/dist/server/mutations/signin.js.map +0 -1
  511. package/dist/server/mutations/signout.d.ts +0 -16
  512. package/dist/server/mutations/signout.d.ts.map +0 -1
  513. package/dist/server/mutations/signout.js.map +0 -1
  514. package/dist/server/mutations/store/refs.d.ts +0 -12
  515. package/dist/server/mutations/store/refs.d.ts.map +0 -1
  516. package/dist/server/mutations/store/refs.js.map +0 -1
  517. package/dist/server/mutations/store.d.ts +0 -306
  518. package/dist/server/mutations/store.d.ts.map +0 -1
  519. package/dist/server/mutations/store.js.map +0 -1
  520. package/dist/server/mutations/verifier.d.ts +0 -13
  521. package/dist/server/mutations/verifier.d.ts.map +0 -1
  522. package/dist/server/mutations/verifier.js.map +0 -1
  523. package/dist/server/mutations/verify.d.ts +0 -26
  524. package/dist/server/mutations/verify.d.ts.map +0 -1
  525. package/dist/server/mutations/verify.js.map +0 -1
  526. package/dist/server/oauth.d.ts +0 -1
  527. package/dist/server/oauth.js +0 -242
  528. package/dist/server/oauth.js.map +0 -1
  529. package/dist/server/passkey.d.ts +0 -27
  530. package/dist/server/passkey.d.ts.map +0 -1
  531. package/dist/server/passkey.js.map +0 -1
  532. package/dist/server/redirects.d.ts +0 -1
  533. package/dist/server/redirects.js.map +0 -1
  534. package/dist/server/refresh.d.ts +0 -1
  535. package/dist/server/refresh.js.map +0 -1
  536. package/dist/server/runtime.d.ts.map +0 -1
  537. package/dist/server/runtime.js.map +0 -1
  538. package/dist/server/sessions.d.ts +0 -1
  539. package/dist/server/sessions.js.map +0 -1
  540. package/dist/server/signin.d.ts +0 -1
  541. package/dist/server/signin.js.map +0 -1
  542. package/dist/server/ssr.d.ts.map +0 -1
  543. package/dist/server/ssr.js +0 -777
  544. package/dist/server/ssr.js.map +0 -1
  545. package/dist/server/templates.d.ts +0 -1
  546. package/dist/server/templates.js.map +0 -1
  547. package/dist/server/tokens.d.ts +0 -1
  548. package/dist/server/tokens.js.map +0 -1
  549. package/dist/server/totp.d.ts +0 -1
  550. package/dist/server/totp.js.map +0 -1
  551. package/dist/server/types.d.ts.map +0 -1
  552. package/dist/server/types.js.map +0 -1
  553. package/dist/server/users.d.ts +0 -1
  554. package/dist/server/users.js.map +0 -1
  555. package/dist/server/utils.d.ts +0 -1
  556. package/dist/server/utils.js +0 -140
  557. package/dist/server/utils.js.map +0 -1
  558. package/src/authorization/index.ts +0 -83
  559. package/src/cli/bin.ts +0 -5
  560. package/src/cli/command.ts +0 -70
  561. package/src/cli/index.ts +0 -1112
  562. package/src/cli/keys.ts +0 -23
  563. package/src/client/core/types.ts +0 -437
  564. package/src/client/factors/device.ts +0 -158
  565. package/src/client/factors/passkey.ts +0 -279
  566. package/src/client/factors/totp.ts +0 -150
  567. package/src/client/index.ts +0 -1124
  568. package/src/client/runtime/browser.ts +0 -112
  569. package/src/client/runtime/invite.ts +0 -63
  570. package/src/client/runtime/proxy.ts +0 -111
  571. package/src/client/runtime/storage.ts +0 -79
  572. package/src/component/_generated/api.ts +0 -96
  573. package/src/component/_generated/component.ts +0 -3774
  574. package/src/component/_generated/dataModel.ts +0 -60
  575. package/src/component/_generated/server.ts +0 -156
  576. package/src/component/convex.config.ts +0 -5
  577. package/src/component/functions.ts +0 -104
  578. package/src/component/index.ts +0 -42
  579. package/src/component/model.ts +0 -449
  580. package/src/component/public/enterprise/audit.ts +0 -125
  581. package/src/component/public/enterprise/core.ts +0 -355
  582. package/src/component/public/enterprise/domains.ts +0 -327
  583. package/src/component/public/enterprise/scim.ts +0 -397
  584. package/src/component/public/enterprise/secrets.ts +0 -133
  585. package/src/component/public/enterprise/webhooks.ts +0 -307
  586. package/src/component/public/factors/devices.ts +0 -224
  587. package/src/component/public/factors/passkeys.ts +0 -243
  588. package/src/component/public/factors/totp.ts +0 -259
  589. package/src/component/public/groups/core.ts +0 -481
  590. package/src/component/public/groups/invites.ts +0 -608
  591. package/src/component/public/groups/members.ts +0 -410
  592. package/src/component/public/identity/accounts.ts +0 -207
  593. package/src/component/public/identity/codes.ts +0 -149
  594. package/src/component/public/identity/sessions.ts +0 -210
  595. package/src/component/public/identity/tokens.ts +0 -251
  596. package/src/component/public/identity/users.ts +0 -355
  597. package/src/component/public/identity/verifiers.ts +0 -158
  598. package/src/component/public/security/keys.ts +0 -366
  599. package/src/component/public/security/limits.ts +0 -174
  600. package/src/component/public.ts +0 -27
  601. package/src/component/schema.ts +0 -505
  602. package/src/providers/anonymous.ts +0 -99
  603. package/src/providers/credentials.ts +0 -102
  604. package/src/providers/device.ts +0 -87
  605. package/src/providers/email.ts +0 -99
  606. package/src/providers/index.ts +0 -31
  607. package/src/providers/oauth.ts +0 -117
  608. package/src/providers/passkey.ts +0 -77
  609. package/src/providers/password.ts +0 -441
  610. package/src/providers/phone.ts +0 -93
  611. package/src/providers/sso.ts +0 -54
  612. package/src/providers/totp.ts +0 -62
  613. package/src/samlify.d.ts +0 -53
  614. package/src/server/auth.ts +0 -949
  615. package/src/server/config.ts +0 -200
  616. package/src/server/context.ts +0 -90
  617. package/src/server/cookies.ts +0 -49
  618. package/src/server/core.ts +0 -2004
  619. package/src/server/crypto.ts +0 -90
  620. package/src/server/db.ts +0 -203
  621. package/src/server/device.ts +0 -254
  622. package/src/server/enterprise/config.ts +0 -51
  623. package/src/server/enterprise/domain.ts +0 -1739
  624. package/src/server/enterprise/http.ts +0 -1331
  625. package/src/server/enterprise/oidc.ts +0 -500
  626. package/src/server/enterprise/policy.ts +0 -128
  627. package/src/server/enterprise/saml.ts +0 -578
  628. package/src/server/enterprise/scim.ts +0 -135
  629. package/src/server/enterprise/shared.ts +0 -134
  630. package/src/server/enterprise/validators.ts +0 -93
  631. package/src/server/http.ts +0 -790
  632. package/src/server/identity.ts +0 -18
  633. package/src/server/index.ts +0 -40
  634. package/src/server/keys.ts +0 -158
  635. package/src/server/limits.ts +0 -107
  636. package/src/server/mounts.ts +0 -924
  637. package/src/server/mutations/account.ts +0 -62
  638. package/src/server/mutations/code.ts +0 -119
  639. package/src/server/mutations/index.ts +0 -13
  640. package/src/server/mutations/invalidate.ts +0 -50
  641. package/src/server/mutations/oauth.ts +0 -243
  642. package/src/server/mutations/refresh.ts +0 -299
  643. package/src/server/mutations/register.ts +0 -155
  644. package/src/server/mutations/retrieve.ts +0 -109
  645. package/src/server/mutations/signature.ts +0 -57
  646. package/src/server/mutations/signin.ts +0 -54
  647. package/src/server/mutations/signout.ts +0 -43
  648. package/src/server/mutations/store/refs.ts +0 -10
  649. package/src/server/mutations/store.ts +0 -123
  650. package/src/server/mutations/verifier.ts +0 -34
  651. package/src/server/mutations/verify.ts +0 -200
  652. package/src/server/oauth.ts +0 -418
  653. package/src/server/passkey.ts +0 -838
  654. package/src/server/redirects.ts +0 -59
  655. package/src/server/refresh.ts +0 -218
  656. package/src/server/runtime.ts +0 -918
  657. package/src/server/sessions.ts +0 -132
  658. package/src/server/signin.ts +0 -445
  659. package/src/server/ssr.ts +0 -1747
  660. package/src/server/templates.ts +0 -82
  661. package/src/server/tokens.ts +0 -35
  662. package/src/server/totp.ts +0 -399
  663. package/src/server/types.ts +0 -1942
  664. package/src/server/users.ts +0 -291
  665. package/src/server/utils.ts +0 -220
  666. /package/dist/{runtime → client/runtime}/invite.js +0 -0
@@ -1,1315 +0,0 @@
1
- import { AuthProviderConfig, KeyDoc, KeyScope, ScopeChecker, UserOrderBy, UserWhere } from "./types.js";
2
- import { Auth, GenericActionCtx, GenericDataModel } from "convex/server";
3
- import { GenericId } from "convex/values";
4
-
5
- //#region src/server/core.d.ts
6
- type ComponentCtx = Pick<GenericActionCtx<GenericDataModel>, "runQuery" | "runMutation">;
7
- type ComponentReadCtx = Pick<GenericActionCtx<GenericDataModel>, "runQuery">;
8
- type ComponentAuthReadCtx = ComponentReadCtx & {
9
- auth: Auth;
10
- };
11
- type AccountCredentials = {
12
- id: string;
13
- secret?: string;
14
- };
15
- type CreateAccountArgs = {
16
- provider: string;
17
- account: AccountCredentials;
18
- profile: Record<string, unknown>;
19
- shouldLinkViaEmail?: boolean;
20
- shouldLinkViaPhone?: boolean;
21
- };
22
- type RetrieveAccountArgs = {
23
- provider: string;
24
- account: AccountCredentials;
25
- };
26
- type UpdateAccountCredentialsArgs = {
27
- provider: string;
28
- account: {
29
- id: string;
30
- secret: string;
31
- };
32
- };
33
- type CoreDeps = {
34
- config: any;
35
- getAuth: () => any;
36
- callInvalidateSessions: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: {
37
- userId: GenericId<"User">;
38
- except?: GenericId<"Session">[];
39
- }) => Promise<void>;
40
- callCreateAccountFromCredentials: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: CreateAccountArgs) => Promise<any>;
41
- callRetrieveAccountWithCredentials: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: RetrieveAccountArgs) => Promise<any>;
42
- callModifyAccount: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: UpdateAccountCredentialsArgs) => Promise<void>;
43
- getEnrichCtx: () => <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>) => any;
44
- inviteTokenAlphabet: string;
45
- inviteTokenLength: number;
46
- };
47
- /**
48
- * Build the core auth domains that back the canonical app API surface.
49
- *
50
- * Creates the grouped `user`, `session`, `account`, `provider`, `group`,
51
- * `member`, `invite`, and `key` APIs used by the higher-level auth
52
- * factory. Each namespace wraps the underlying Convex component functions with
53
- * application-friendly helpers, result shaping, and documentation-friendly
54
- * method names.
55
- *
56
- * @param deps - Internal component wiring, provider config, and helper
57
- * functions needed to construct the domain API surface.
58
- * @returns The core domain namespaces consumed by the auth factory.
59
- */
60
- declare function createCoreDomains(deps: CoreDeps): {
61
- user: {
62
- /**
63
- * Fetch a user document by ID.
64
- *
65
- * Results are **cached per-execution** — calling `auth.user.get(ctx, id)`
66
- * multiple times within the same query or mutation handler for the same
67
- * `userId` returns the cached result without an additional component read.
68
- *
69
- * @param ctx - Convex query or mutation context.
70
- * @param userId - The user's document ID.
71
- * @returns The user document, or `null` if not found.
72
- *
73
- * @example
74
- * ```ts
75
- * const user = await auth.user.get(ctx, userId);
76
- * const name = user?.name ?? user?.email ?? "Unknown";
77
- * ```
78
- */
79
- get: (ctx: ComponentReadCtx, userId: string) => Promise<any>;
80
- /**
81
- * List users with optional filtering, pagination, and ordering.
82
- *
83
- * Supports filtering by `email`, `phone`, `name`, and `isAnonymous`.
84
- * Results are paginated — pass `cursor` from a previous response to
85
- * load the next page.
86
- *
87
- * @param ctx - Convex query or mutation context.
88
- * @param opts.where - Filter criteria (all optional, combined with AND).
89
- * @param opts.limit - Max items per page (default 50, max 100).
90
- * @param opts.cursor - Cursor from a previous `nextCursor` for pagination.
91
- * @param opts.orderBy - Sort field: `"_creationTime"` (default), `"email"`, etc.
92
- * @param opts.order - Sort direction: `"asc"` or `"desc"` (default `"desc"`).
93
- * @returns `{ items, nextCursor }` — `nextCursor` is `null` when no more pages.
94
- *
95
- * @example
96
- * ```ts
97
- * const { items, nextCursor } = await auth.user.list(ctx, {
98
- * where: { email: "alice@example.com" },
99
- * limit: 10,
100
- * });
101
- * ```
102
- */
103
- list: (ctx: ComponentReadCtx, opts?: {
104
- where?: UserWhere;
105
- limit?: number;
106
- cursor?: string | null;
107
- orderBy?: UserOrderBy;
108
- order?: "asc" | "desc";
109
- }) => Promise<any>;
110
- /**
111
- * Convenience method: resolve the current session user and fetch their
112
- * full document in one call. Returns `null` if unauthenticated.
113
- *
114
- * @param ctx - Convex query or mutation context with `auth` for session lookup.
115
- * @returns The authenticated user's document, or `null` if unauthenticated.
116
- *
117
- * @example
118
- * ```ts
119
- * const viewer = await auth.user.viewer(ctx);
120
- * if (!viewer) throw new Error("Not signed in");
121
- * console.log(viewer.name, viewer.email);
122
- * ```
123
- */
124
- viewer: (ctx: ComponentAuthReadCtx) => Promise<any>;
125
- /**
126
- * Patch a user document. Accepts any fields defined on the User schema
127
- * (e.g. `name`, `image`, `email`, `extend`).
128
- *
129
- * @param ctx - Convex mutation context.
130
- * @param userId - The user's document ID.
131
- * @param data - Fields to merge into the user document.
132
- * @returns `{ userId }`.
133
- *
134
- * @example
135
- * ```ts
136
- * await auth.user.update(ctx, userId, {
137
- * name: "Alice Smith",
138
- * image: "https://example.com/avatar.png",
139
- * });
140
- * ```
141
- */
142
- update: (ctx: ComponentCtx, userId: string, data: Record<string, unknown>) => Promise<{
143
- userId: string;
144
- }>;
145
- /**
146
- * Set the user's active group. Stored in `user.extend.lastActiveGroup`.
147
- * Pass `groupId: null` to clear. Useful for multi-workspace apps
148
- * where the UI needs to remember which workspace is selected.
149
- *
150
- * @param ctx - Convex mutation context.
151
- * @param opts.userId - The user's document ID.
152
- * @param opts.groupId - Group ID to set as active, or `null` to clear.
153
- * @returns `{ userId, groupId }` confirming the active group was set (or cleared).
154
- *
155
- * @example
156
- * ```ts
157
- * // Switch to a workspace
158
- * await auth.user.setActiveGroup(ctx, { userId, groupId: workspaceId });
159
- *
160
- * // Clear the active workspace
161
- * await auth.user.setActiveGroup(ctx, { userId, groupId: null });
162
- * ```
163
- */
164
- setActiveGroup: (ctx: ComponentCtx, opts: {
165
- userId: string;
166
- groupId: string | null;
167
- }) => Promise<{
168
- userId: string;
169
- groupId: null;
170
- } | {
171
- userId: string;
172
- groupId: string;
173
- }>;
174
- /**
175
- * Read the user's active group ID from `user.extend.lastActiveGroup`.
176
- * Returns `null` if no active group is set.
177
- *
178
- * @param ctx - Convex query or mutation context.
179
- * @param opts.userId - The user's document ID.
180
- * @returns The active group's document ID, or `null` if none is set.
181
- *
182
- * @example
183
- * ```ts
184
- * const activeGroupId = await auth.user.getActiveGroup(ctx, { userId });
185
- * if (activeGroupId) {
186
- * const group = await auth.group.get(ctx, activeGroupId);
187
- * }
188
- * ```
189
- */
190
- getActiveGroup: (ctx: ComponentReadCtx, opts: {
191
- userId: string;
192
- }) => Promise<string | null>;
193
- /**
194
- * Delete a user and all associated data.
195
- *
196
- * By default (`cascade: true`) deletes the user's sessions, accounts,
197
- * API keys, group memberships, passkey credentials, and TOTP factors.
198
- * Pass `{ cascade: false }` to delete only the user document itself.
199
- *
200
- * @param ctx - Convex mutation context.
201
- * @param userId - The user's document ID.
202
- * @param opts.cascade - Whether to delete related records (default `true`).
203
- * @returns `{ userId }`.
204
- * @throws `INVALID_PARAMETERS` if `cascade` is `false` but the user has linked data.
205
- */
206
- delete: (ctx: ComponentCtx, userId: string, opts?: {
207
- cascade?: boolean;
208
- }) => Promise<{
209
- userId: string;
210
- }>;
211
- };
212
- session: {
213
- /**
214
- * Resolve the current session's ID from the JWT.
215
- *
216
- * Extracts the `sessionId` portion of the `subject` claim in the
217
- * identity token returned by `ctx.auth.getUserIdentity()`. The subject
218
- * is encoded as `userId<divider>sessionId`, so this splits on the
219
- * divider and returns the second segment.
220
- *
221
- * Returns `null` when there is no authenticated identity (i.e. no
222
- * valid session JWT).
223
- *
224
- * @param ctx - Convex query, mutation, or action context (must include `auth`).
225
- * @returns The current session's document ID, or `null` if unauthenticated.
226
- *
227
- * @example
228
- * ```ts
229
- * const sessionId = await auth.session.current(ctx);
230
- * if (!sessionId) throw new Error("Not signed in");
231
- * ```
232
- */
233
- current: (ctx: {
234
- auth: Auth;
235
- }) => Promise<GenericId<"Session"> | null>;
236
- /**
237
- * Invalidate (sign out) all sessions for a given user.
238
- *
239
- * Marks every session belonging to `userId` as invalid so that
240
- * subsequent requests using those session JWTs will fail authentication.
241
- * Optionally, one or more sessions can be excluded — this is useful
242
- * when you want to sign out all *other* devices while keeping the
243
- * current session alive.
244
- *
245
- * This method delegates to the component's internal session
246
- * invalidation RPC.
247
- *
248
- * @param ctx - Convex action context.
249
- * @param args.userId - The user whose sessions should be invalidated.
250
- * @param args.except - Optional array of session IDs to keep valid.
251
- * @returns `{ userId, except }` confirming the operation.
252
- *
253
- * @example Sign out everywhere except the current session
254
- * ```ts
255
- * const sessionId = await auth.session.current(ctx);
256
- * await auth.session.invalidate(ctx, {
257
- * userId,
258
- * except: sessionId ? [sessionId] : [],
259
- * });
260
- * ```
261
- */
262
- invalidate: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: {
263
- userId: GenericId<"User">;
264
- except?: GenericId<"Session">[];
265
- }) => Promise<{
266
- userId: GenericId<"User">;
267
- except: GenericId<"Session">[];
268
- }>;
269
- /**
270
- * Fetch a session document by ID.
271
- *
272
- * Returns the full session document from the component database, or
273
- * `null` if no session with the given ID exists. Useful for inspecting
274
- * session metadata such as creation time or associated device info.
275
- *
276
- * @param ctx - Convex query or mutation context.
277
- * @param sessionId - The session's document ID.
278
- * @returns The session document, or `null` if not found.
279
- *
280
- * @example
281
- * ```ts
282
- * const session = await auth.session.get(ctx, sessionId);
283
- * if (!session) throw new Error("Session not found");
284
- * ```
285
- */
286
- get: (ctx: ComponentReadCtx, sessionId: string) => Promise<any>;
287
- /**
288
- * List all sessions belonging to a user.
289
- *
290
- * Returns every session document associated with the given `userId`,
291
- * including both active and expired sessions. This is useful for
292
- * building "active sessions" UIs or auditing sign-in history.
293
- *
294
- * @param ctx - Convex query or mutation context.
295
- * @param opts.userId - The user whose sessions to list.
296
- * @returns An array of session documents.
297
- *
298
- * @example
299
- * ```ts
300
- * const sessions = await auth.session.list(ctx, { userId });
301
- * console.log(`User has ${sessions.length} sessions`);
302
- * ```
303
- */
304
- list: (ctx: ComponentReadCtx, opts: {
305
- userId: string;
306
- }) => Promise<any>;
307
- };
308
- account: {
309
- /**
310
- * Create a new auth account linked to a user.
311
- *
312
- * Creates a credentials-based account record for a given provider. If
313
- * the user does not yet exist, one is created from the supplied
314
- * `profile`. If `shouldLinkViaEmail` or `shouldLinkViaPhone` is set,
315
- * the account may be linked to an existing user whose email or phone
316
- * matches the profile.
317
- *
318
- * The `account.secret` (e.g. a hashed password) is optional and
319
- * depends on the provider type.
320
- *
321
- * @param ctx - Convex action context.
322
- * @param args.provider - The provider ID (e.g. `"password"`, `"credentials"`).
323
- * @param args.account.id - Provider-specific account identifier (e.g. email address).
324
- * @param args.account.secret - Optional credential secret (e.g. hashed password).
325
- * @param args.profile - Profile data used to create or update the user document.
326
- * @param args.shouldLinkViaEmail - If `true`, link to an existing user by email match.
327
- * @param args.shouldLinkViaPhone - If `true`, link to an existing user by phone match.
328
- * @returns The created account and user information.
329
- *
330
- * @example
331
- * ```ts
332
- * const result = await auth.account.create(ctx, {
333
- * provider: "password",
334
- * account: { id: "alice@example.com", secret: hashedPassword },
335
- * profile: { email: "alice@example.com", name: "Alice" },
336
- * });
337
- * ```
338
- */
339
- create: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: CreateAccountArgs) => Promise<any>;
340
- /**
341
- * Retrieve an auth account by provider and credentials.
342
- *
343
- * Looks up an account matching the given provider and account ID,
344
- * optionally verifying the secret (e.g. password). If the account
345
- * exists and the credentials are valid, the full account document is
346
- * returned. Returns `null` if no matching account is found or if the
347
- * credential verification fails (indicated by a string error from the
348
- * underlying RPC).
349
- *
350
- * @param ctx - Convex action context.
351
- * @param args.provider - The provider ID (e.g. `"password"`).
352
- * @param args.account.id - Provider-specific account identifier.
353
- * @param args.account.secret - Optional credential secret to verify.
354
- * @returns The account document, or `null` if not found or verification failed.
355
- *
356
- * @example
357
- * ```ts
358
- * const acct = await auth.account.get(ctx, {
359
- * provider: "password",
360
- * account: { id: "alice@example.com", secret: plainTextPassword },
361
- * });
362
- * if (!acct) throw new Error("Invalid credentials");
363
- * ```
364
- */
365
- get: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: RetrieveAccountArgs) => Promise<any>;
366
- /**
367
- * Update the credentials (secret) for an existing auth account.
368
- *
369
- * Replaces the stored secret for the account identified by `provider`
370
- * and `account.id`. This is the standard path for password changes
371
- * and password resets — the new secret is typically a freshly hashed
372
- * password.
373
- *
374
- * @param ctx - Convex action context.
375
- * @param args.provider - The provider ID (e.g. `"password"`).
376
- * @param args.account.id - Provider-specific account identifier.
377
- * @param args.account.secret - The new credential secret to store.
378
- * @returns `{ accountId }` confirming the update.
379
- *
380
- * @example Password reset
381
- * ```ts
382
- * await auth.account.update(ctx, {
383
- * provider: "password",
384
- * account: { id: "alice@example.com", secret: newHashedPassword },
385
- * });
386
- * ```
387
- */
388
- update: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: UpdateAccountCredentialsArgs) => Promise<{
389
- accountId: string;
390
- }>;
391
- /**
392
- * Delete an auth account by ID.
393
- *
394
- * Removes the account record from the database. As a safety measure,
395
- * deletion is **refused** if this is the user's only remaining account
396
- * — the user must always have at least one linked account. If the
397
- * account is not found, returns an error result instead of throwing.
398
- *
399
- * @param ctx - Convex mutation context.
400
- * @param accountId - The account's document ID.
401
- * @returns `{ accountId }` on success.
402
- * @throws `ACCOUNT_NOT_FOUND` if the account does not exist.
403
- * @throws `INVALID_PARAMETERS` if it is the user's last account.
404
- *
405
- * @example
406
- * ```ts
407
- * await auth.account.delete(ctx, accountId);
408
- * ```
409
- */
410
- delete: (ctx: ComponentCtx, accountId: string) => Promise<{
411
- accountId: string;
412
- }>;
413
- /**
414
- * List all passkey credentials registered for a user.
415
- *
416
- * Returns every WebAuthn passkey credential associated with the given
417
- * `userId`. Each document includes the credential's public key,
418
- * metadata (such as a human-readable name), and counters used for
419
- * replay protection.
420
- *
421
- * @param ctx - Convex query or mutation context.
422
- * @param opts.userId - The user whose passkeys to list.
423
- * @returns An array of passkey credential documents.
424
- *
425
- * @example
426
- * ```ts
427
- * const passkeys = await auth.account.listPasskeys(ctx, { userId });
428
- * for (const pk of passkeys) {
429
- * console.log(pk.name ?? "Unnamed passkey", pk._id);
430
- * }
431
- * ```
432
- */
433
- listPasskeys: (ctx: ComponentReadCtx, opts: {
434
- userId: string;
435
- }) => Promise<any>;
436
- /**
437
- * Rename a passkey credential.
438
- *
439
- * Updates the human-readable `name` metadata on a passkey document.
440
- * Useful for letting users label their passkeys (e.g. "MacBook Pro",
441
- * "YubiKey 5").
442
- *
443
- * @param ctx - Convex mutation context.
444
- * @param passkeyId - The passkey credential's document ID.
445
- * @param name - The new display name for the passkey.
446
- * @returns `{ passkeyId }` confirming the rename.
447
- *
448
- * @example
449
- * ```ts
450
- * await auth.account.renamePasskey(ctx, passkeyId, "Work laptop");
451
- * ```
452
- */
453
- renamePasskey: (ctx: ComponentCtx, passkeyId: string, name: string) => Promise<{
454
- passkeyId: string;
455
- }>;
456
- /**
457
- * Delete a passkey credential.
458
- *
459
- * Permanently removes a WebAuthn passkey credential from the database.
460
- * After deletion, the physical authenticator associated with this
461
- * credential can no longer be used to sign in.
462
- *
463
- * @param ctx - Convex mutation context.
464
- * @param passkeyId - The passkey credential's document ID.
465
- * @returns `{ passkeyId }` confirming the deletion.
466
- *
467
- * @example
468
- * ```ts
469
- * await auth.account.deletePasskey(ctx, passkeyId);
470
- * ```
471
- */
472
- deletePasskey: (ctx: ComponentCtx, passkeyId: string) => Promise<{
473
- passkeyId: string;
474
- }>;
475
- /**
476
- * List all TOTP (time-based one-time password) factors for a user.
477
- *
478
- * Returns every TOTP authenticator factor registered for the given
479
- * `userId`. Each document includes the secret, issuer, and verification
480
- * metadata needed for two-factor authentication management UIs.
481
- *
482
- * @param ctx - Convex query or mutation context.
483
- * @param opts.userId - The user whose TOTP factors to list.
484
- * @returns An array of TOTP factor documents.
485
- *
486
- * @example
487
- * ```ts
488
- * const totps = await auth.account.listTotps(ctx, { userId });
489
- * const has2FA = totps.length > 0;
490
- * ```
491
- */
492
- listTotps: (ctx: ComponentReadCtx, opts: {
493
- userId: string;
494
- }) => Promise<any>;
495
- /**
496
- * Delete a TOTP factor.
497
- *
498
- * Permanently removes a TOTP authenticator factor from the database.
499
- * After deletion, codes generated by the corresponding authenticator
500
- * app will no longer be accepted for two-factor authentication.
501
- *
502
- * @param ctx - Convex mutation context.
503
- * @param totpId - The TOTP factor's document ID.
504
- * @returns `{ totpId }` confirming the deletion.
505
- *
506
- * @example
507
- * ```ts
508
- * await auth.account.deleteTotp(ctx, totpId);
509
- * ```
510
- */
511
- deleteTotp: (ctx: ComponentCtx, totpId: string) => Promise<{
512
- totpId: string;
513
- }>;
514
- };
515
- provider: {
516
- /**
517
- * Sign in through a specific provider from server-side code.
518
- *
519
- * Materializes the supplied provider config, runs the standard sign-in
520
- * flow, and returns the resulting `userId` and `sessionId` when the
521
- * provider completes authentication immediately. Returns `null` for
522
- * providers that require additional client-side steps (for example
523
- * redirects, email verification, or other non-immediate flows).
524
- *
525
- * This helper is useful for trusted server flows where you already know
526
- * which provider should handle the sign-in and want the same behavior as
527
- * the public auth API without generating tokens for the client.
528
- *
529
- * @param ctx - Convex action context.
530
- * @param providerConfig - Provider configuration object to materialize and use.
531
- * @param args.accountId - Optional account document ID to sign in with directly.
532
- * @param args.params - Optional provider-specific parameters forwarded to the sign-in flow.
533
- * @returns `{ userId, sessionId }` when sign-in succeeds immediately, or `null`
534
- * when the provider does not produce an immediate signed-in result.
535
- *
536
- * @example
537
- * ```ts
538
- * const signedIn = await auth.provider.signIn(ctx, passwordProvider, {
539
- * params: { email: "alice@example.com", password: "secret" },
540
- * });
541
- *
542
- * if (!signedIn) {
543
- * throw new Error("Provider requires another auth step");
544
- * }
545
- * ```
546
- */
547
- signIn: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, providerConfig: AuthProviderConfig, args: {
548
- accountId?: GenericId<"Account">;
549
- params?: Record<string, unknown>;
550
- }) => Promise<{
551
- userId: GenericId<"User">;
552
- sessionId: GenericId<"Session">;
553
- } | null>;
554
- };
555
- group: {
556
- /**
557
- * Create a new group (organization, workspace, team, etc.).
558
- *
559
- * Groups are hierarchical — set `parentGroupId` to nest under an existing
560
- * group, or omit it to create a root-level group. Two denormalized fields
561
- * are maintained automatically:
562
- *
563
- * - `rootGroupId` — the root ancestor (self-referencing for root groups).
564
- * - `isRoot` — `true` when the group has no parent.
565
- *
566
- * @param ctx - Convex mutation context.
567
- * @param data.name - Display name for the group.
568
- * @param data.slug - URL-safe slug (optional).
569
- * @param data.type - App-defined type string (e.g. `"workspace"`, `"team"`).
570
- * @param data.parentGroupId - Nest under this group. Omit for a root group.
571
- * @param data.tags - Faceted classification tags (normalized at write time).
572
- * @param data.extend - Arbitrary app-specific metadata.
573
- * @returns `{ groupId }`.
574
- *
575
- * @example Root group
576
- * ```ts
577
- * const { groupId } = await auth.group.create(ctx, {
578
- * name: "Acme Corp", type: "workspace",
579
- * });
580
- * ```
581
- *
582
- * @example Nested team
583
- * ```ts
584
- * const { groupId } = await auth.group.create(ctx, {
585
- * name: "Engineering", parentGroupId: orgId, type: "team",
586
- * });
587
- * ```
588
- */
589
- create: (ctx: ComponentCtx, data: {
590
- name: string;
591
- slug?: string;
592
- type?: string;
593
- parentGroupId?: string;
594
- tags?: Array<{
595
- key: string;
596
- value: string;
597
- }>;
598
- extend?: Record<string, unknown>;
599
- }) => Promise<{
600
- groupId: string;
601
- }>;
602
- /**
603
- * Fetch a group document by ID.
604
- *
605
- * Results are **cached per-execution** — calling `auth.group.get(ctx, id)`
606
- * multiple times within the same handler for the same `groupId` returns
607
- * the cached result without an additional component read.
608
- *
609
- * @param ctx - Convex query or mutation context.
610
- * @param groupId - The group's document ID.
611
- * @returns The group document (including `rootGroupId`, `isRoot`), or `null`.
612
- */
613
- get: (ctx: ComponentReadCtx, groupId: string) => Promise<any>;
614
- /**
615
- * List groups with optional filtering, pagination, and ordering.
616
- *
617
- * Supports filtering by `slug`, `type`, `parentGroupId`, `name`,
618
- * `isRoot`, and tags (`tagsAll`, `tagsAny`). The `isRoot` and
619
- * `parentGroupId` filters use dedicated indexes for efficient queries.
620
- *
621
- * @param ctx - Convex query or mutation context.
622
- * @param opts.where - Filter criteria (all optional, combined with AND).
623
- * @param opts.where.isRoot - `true` to find root groups, `false` for nested.
624
- * @param opts.where.parentGroupId - List direct children of this group.
625
- * @param opts.limit - Max items per page (default 50, max 100).
626
- * @param opts.cursor - Cursor from a previous `nextCursor`.
627
- * @param opts.orderBy - Sort field: `"_creationTime"`, `"name"`, `"slug"`, `"type"`.
628
- * @param opts.order - Sort direction: `"asc"` or `"desc"`.
629
- * @returns `{ items, nextCursor }`.
630
- *
631
- * @example List root workspaces
632
- * ```ts
633
- * const { items } = await auth.group.list(ctx, {
634
- * where: { isRoot: true },
635
- * orderBy: "name", order: "asc",
636
- * });
637
- * ```
638
- *
639
- * @example List children of a group
640
- * ```ts
641
- * const { items } = await auth.group.list(ctx, {
642
- * where: { parentGroupId: orgId },
643
- * });
644
- * ```
645
- */
646
- list: (ctx: ComponentReadCtx, opts?: {
647
- where?: {
648
- slug?: string;
649
- type?: string;
650
- parentGroupId?: string;
651
- name?: string;
652
- isRoot?: boolean;
653
- tagsAll?: Array<{
654
- key: string;
655
- value: string;
656
- }>;
657
- tagsAny?: Array<{
658
- key: string;
659
- value: string;
660
- }>;
661
- };
662
- limit?: number;
663
- cursor?: string | null;
664
- orderBy?: "_creationTime" | "name" | "slug" | "type";
665
- order?: "asc" | "desc";
666
- }) => Promise<any>;
667
- /**
668
- * Patch a group document.
669
- *
670
- * If `parentGroupId` is changed, the group's `rootGroupId` and `isRoot`
671
- * fields are recomputed automatically and cascaded to all descendants.
672
- *
673
- * @param ctx - Convex mutation context.
674
- * @param groupId - The group's document ID.
675
- * @param data - Fields to merge (e.g. `name`, `slug`, `tags`, `parentGroupId`).
676
- * @returns `{ groupId }`.
677
- *
678
- * @example
679
- * ```ts
680
- * await auth.group.update(ctx, groupId, {
681
- * name: "Acme Corp (renamed)",
682
- * slug: "acme-corp",
683
- * });
684
- * ```
685
- */
686
- update: (ctx: ComponentCtx, groupId: string, data: Record<string, unknown>) => Promise<{
687
- groupId: string;
688
- }>;
689
- /**
690
- * Delete a group and recursively cascade to all descendant groups,
691
- * their members, invites, and tags.
692
- *
693
- * @param ctx - Convex mutation context.
694
- * @param groupId - The group's document ID.
695
- * @returns `{ groupId }`.
696
- *
697
- * @example
698
- * ```ts
699
- * await auth.group.delete(ctx, groupId);
700
- * ```
701
- */
702
- delete: (ctx: ComponentCtx, groupId: string) => Promise<{
703
- groupId: string;
704
- }>;
705
- /**
706
- * Walk up the group hierarchy from `groupId` and return all ancestor
707
- * groups in order from immediate parent to root. Detects cycles and
708
- * respects `maxDepth` (default 32).
709
- *
710
- * @param ctx - Convex query or mutation context.
711
- * @param opts.groupId - Starting group ID.
712
- * @param opts.maxDepth - Max levels to traverse (default 32).
713
- * @param opts.includeSelf - Include the starting group in the result.
714
- * @returns `{ ancestors, cycleDetected, maxDepthReached }`.
715
- *
716
- * @example
717
- * ```ts
718
- * const { ancestors } = await auth.group.ancestors(ctx, {
719
- * groupId: teamId,
720
- * includeSelf: true,
721
- * });
722
- * const rootOrg = ancestors[ancestors.length - 1];
723
- * ```
724
- */
725
- ancestors: (ctx: ComponentReadCtx, opts: {
726
- groupId: string;
727
- maxDepth?: number;
728
- includeSelf?: boolean;
729
- }) => Promise<{
730
- ancestors: any[];
731
- cycleDetected: boolean;
732
- maxDepthReached: boolean;
733
- }>;
734
- };
735
- member: {
736
- /**
737
- * Add a user to a group with optional role IDs.
738
- *
739
- * Role IDs are validated against the roles defined in `defineRoles()` —
740
- * invalid IDs throw `INVALID_ROLE_IDS`.
741
- * Throws `DUPLICATE_MEMBERSHIP` if the user is already a member.
742
- *
743
- * @param ctx - Convex mutation context.
744
- * @param data.groupId - The group to add the user to.
745
- * @param data.userId - The user's document ID.
746
- * @param data.roleIds - Role IDs from `defineRoles()` (optional).
747
- * @param data.status - Membership status string (optional, app-defined).
748
- * @param data.extend - Arbitrary app-specific metadata.
749
- * @returns `{ memberId }`.
750
- * @throws `INVALID_ROLE_IDS` if any supplied role IDs are not defined.
751
- *
752
- * @example
753
- * ```ts
754
- * const { memberId } = await auth.member.create(ctx, {
755
- * groupId: orgId,
756
- * userId,
757
- * roleIds: [roles.orgAdmin.id],
758
- * });
759
- * ```
760
- */
761
- create: (ctx: ComponentCtx, data: {
762
- groupId: string;
763
- userId: string;
764
- roleIds?: string[];
765
- status?: string;
766
- extend?: Record<string, unknown>;
767
- }) => Promise<{
768
- memberId: string;
769
- }>;
770
- /**
771
- * Fetch a membership document by its document ID.
772
- *
773
- * @param ctx - Convex query or mutation context.
774
- * @param memberId - The membership document ID.
775
- * @returns The membership document, or `null` if not found.
776
- *
777
- * @example
778
- * ```ts
779
- * const membership = await auth.member.get(ctx, memberId);
780
- * if (!membership) throw new Error("Membership not found");
781
- * console.log(membership.roleIds, membership.groupId);
782
- * ```
783
- */
784
- get: (ctx: ComponentReadCtx, memberId: string) => Promise<any>;
785
- /**
786
- * List memberships with optional filtering and pagination.
787
- *
788
- * Supports filtering by `groupId`, `userId`, `roleId`, and `status`.
789
- * When `groupId` and `status` are both provided, a compound index
790
- * is used for efficient queries.
791
- *
792
- * @param ctx - Convex query or mutation context.
793
- * @param opts.where - Filter criteria (all optional).
794
- * @param opts.limit - Max items per page (default 50, max 100).
795
- * @param opts.cursor - Cursor for pagination.
796
- * @param opts.orderBy - Sort field: `"_creationTime"` or `"status"`.
797
- * @param opts.order - Sort direction: `"asc"` or `"desc"`.
798
- * @returns `{ items, nextCursor }`.
799
- *
800
- * @example
801
- * ```ts
802
- * const { items } = await auth.member.list(ctx, {
803
- * where: { groupId: orgId },
804
- * limit: 20,
805
- * orderBy: "_creationTime",
806
- * order: "asc",
807
- * });
808
- * ```
809
- */
810
- list: (ctx: ComponentReadCtx, opts?: {
811
- where?: {
812
- groupId?: string;
813
- userId?: string;
814
- roleId?: string;
815
- status?: string;
816
- };
817
- limit?: number;
818
- cursor?: string | null;
819
- orderBy?: "_creationTime" | "status";
820
- order?: "asc" | "desc";
821
- }) => Promise<any>;
822
- /**
823
- * Remove a membership by its document ID.
824
- *
825
- * @param ctx - Convex mutation context.
826
- * @param memberId - The membership document ID.
827
- * @returns `{ memberId }`.
828
- *
829
- * @example
830
- * ```ts
831
- * await auth.member.delete(ctx, memberId);
832
- * ```
833
- */
834
- delete: (ctx: ComponentCtx, memberId: string) => Promise<{
835
- memberId: string;
836
- }>;
837
- /**
838
- * Patch a membership's `roleIds`, `status`, or `extend` fields.
839
- * Role IDs are validated against `defineRoles()`.
840
- *
841
- * @param ctx - Convex mutation context.
842
- * @param memberId - The membership document ID.
843
- * @param data - Fields to merge. `roleIds` are validated.
844
- * @returns `{ memberId }`.
845
- * @throws `INVALID_ROLE_IDS` if any supplied role IDs are not defined.
846
- *
847
- * @example
848
- * ```ts
849
- * await auth.member.update(ctx, memberId, {
850
- * roleIds: [roles.orgAdmin.id],
851
- * status: "active",
852
- * });
853
- * ```
854
- */
855
- update: (ctx: ComponentCtx, memberId: string, data: Record<string, unknown>) => Promise<{
856
- memberId: string;
857
- }>;
858
- /**
859
- * Resolve a user's membership in a group, optionally walking the
860
- * hierarchy and checking grants.
861
- *
862
- * **Default (no flags):** Direct lookup at `groupId` only — fast,
863
- * 1 component read. Replaces the old `getByUserAndGroup`.
864
- *
865
- * **`ancestry: true`:** Walk the group hierarchy from `groupId` up
866
- * to root, returning the first matching membership. Includes
867
- * `traversedGroupIds` in the result. Expensive (N reads).
868
- *
869
- * **`grants: [...]`:** Check if the user has all specified grants.
870
- * Works at the direct level by default. Combine with
871
- * `ancestry: true` to check inherited grants.
872
- *
873
- * @param ctx - Convex query or mutation context.
874
- * @param opts.userId - The user's document ID.
875
- * @param opts.groupId - The group to check membership in.
876
- * @param opts.ancestry - Walk the hierarchy (default `false`).
877
- * @param opts.maxDepth - Max hierarchy levels (default 32, only with ancestry).
878
- * @returns `{ membership, roleIds, grants }`.
879
- *
880
- * @example Direct lookup
881
- * ```ts
882
- * const result = await auth.member.inspect(ctx, { userId, groupId });
883
- * if (!result.membership) return null;
884
- * ```
885
- *
886
- * @example Check grants after inspection
887
- * ```ts
888
- * const result = await auth.member.inspect(ctx, {
889
- * userId, groupId,
890
- * });
891
- * const canCreate = result.grants.includes("issues.create");
892
- * ```
893
- *
894
- * @example Walk hierarchy + check grants
895
- * ```ts
896
- * const result = await auth.member.inspect(ctx, {
897
- * userId, groupId: teamId, ancestry: true,
898
- * });
899
- * ```
900
- */
901
- inspect: (ctx: ComponentReadCtx, opts: {
902
- userId: string;
903
- groupId: string;
904
- ancestry?: boolean;
905
- maxDepth?: number;
906
- }) => Promise<{
907
- membership: any;
908
- roleIds: any;
909
- grants: string[];
910
- }>;
911
- require: (ctx: ComponentReadCtx, opts: {
912
- userId: string;
913
- groupId: string;
914
- ancestry?: boolean;
915
- roleIds?: string[];
916
- grants?: string[];
917
- maxDepth?: number;
918
- }) => Promise<{
919
- membership: any;
920
- roleIds: any;
921
- grants: string[];
922
- }>;
923
- };
924
- invite: {
925
- /**
926
- * Create a pending invite. Returns a one-time `token` the recipient
927
- * uses to accept. Optionally scoped to a group with role IDs.
928
- *
929
- * @param ctx - Convex mutation context.
930
- * @param data.groupId - The group to invite the user to (optional).
931
- * @param data.invitedByUserId - The user who created this invite (optional).
932
- * @param data.email - The invitee's email address (optional).
933
- * @param data.roleIds - Role IDs from `defineRoles()` to assign on acceptance (optional).
934
- * @param data.expiresTime - Expiration timestamp in ms since epoch (optional).
935
- * @param data.extend - Arbitrary app-specific metadata (optional).
936
- * @returns `{ inviteId, token }`.
937
- * @throws `INVALID_ROLE_IDS` if any supplied role IDs are not defined.
938
- *
939
- * @example
940
- * ```ts
941
- * const { token } = await auth.invite.create(ctx, {
942
- * groupId, email: "alice@example.com", roleIds: [roles.member.id],
943
- * });
944
- * ```
945
- */
946
- create: (ctx: ComponentCtx, data: {
947
- groupId?: string;
948
- invitedByUserId?: string;
949
- email?: string;
950
- roleIds?: string[];
951
- expiresTime?: number;
952
- extend?: Record<string, unknown>;
953
- }) => Promise<{
954
- inviteId: string;
955
- token: string;
956
- }>;
957
- /**
958
- * Fetch an invite document by ID.
959
- *
960
- * Returns the full invite document including its status, email,
961
- * group, role IDs, and token hash. Useful for displaying invite
962
- * details or checking status before performing actions.
963
- *
964
- * @param ctx - Convex query or mutation context.
965
- * @param inviteId - The invite's document ID.
966
- * @returns The invite document, or `null` if not found.
967
- *
968
- * @example
969
- * ```ts
970
- * const invite = await auth.invite.get(ctx, inviteId);
971
- * if (invite?.status === "pending") {
972
- * // show invite details
973
- * }
974
- * ```
975
- */
976
- get: (ctx: ComponentReadCtx, inviteId: string) => Promise<any>;
977
- token: {
978
- /**
979
- * Look up an invite by its raw token string.
980
- *
981
- * Hashes the raw token and queries the database for a matching
982
- * invite. This is the standard path for invite-link landing pages
983
- * where the token is extracted from the URL.
984
- *
985
- * @param ctx - Convex query or mutation context.
986
- * @param token - The raw invite token string from the invite link.
987
- * @returns The invite document, or `null` if no matching invite exists.
988
- *
989
- * @example
990
- * ```ts
991
- * const invite = await auth.invite.token.get(ctx, tokenFromUrl);
992
- * if (!invite || invite.status !== "pending") {
993
- * throw new Error("Invalid or expired invite");
994
- * }
995
- * ```
996
- */
997
- get: (ctx: ComponentReadCtx, token: string) => Promise<any>;
998
- /**
999
- * Accept an invite by token. Creates a membership and marks the invite as accepted.
1000
- *
1001
- * Hashes the raw token, finds the matching invite, creates a group
1002
- * membership with the invite's role IDs, and transitions the invite
1003
- * status to `"accepted"`.
1004
- *
1005
- * @param ctx - Convex mutation context.
1006
- * @param args.token - The raw invite token string.
1007
- * @param args.acceptedByUserId - The user accepting the invite.
1008
- * @returns The created membership details.
1009
- *
1010
- * @example
1011
- * ```ts
1012
- * const result = await auth.invite.token.accept(ctx, {
1013
- * token: tokenFromUrl,
1014
- * acceptedByUserId: userId,
1015
- * });
1016
- * ```
1017
- */
1018
- accept: (ctx: ComponentCtx, args: {
1019
- token: string;
1020
- acceptedByUserId: string;
1021
- }) => Promise<any>;
1022
- };
1023
- /**
1024
- * List invites with optional filtering by group, status, email, etc.
1025
- * Results are paginated.
1026
- *
1027
- * @param ctx - Convex query or mutation context.
1028
- * @param opts.where - Filter criteria (all optional).
1029
- * @param opts.where.status - `"pending"`, `"accepted"`, `"revoked"`, or `"expired"`.
1030
- * @param opts.limit - Max items per page (default 50, max 100).
1031
- * @param opts.cursor - Cursor from a previous `nextCursor` for pagination.
1032
- * @param opts.orderBy - Sort field: `"_creationTime"`, `"status"`, `"email"`,
1033
- * `"expiresTime"`, or `"acceptedTime"`.
1034
- * @param opts.order - Sort direction: `"asc"` or `"desc"`.
1035
- * @returns `{ items, nextCursor }` — `nextCursor` is `null` when there are no more pages.
1036
- *
1037
- * @example
1038
- * ```ts
1039
- * const { items } = await auth.invite.list(ctx, {
1040
- * where: { groupId, status: "pending" },
1041
- * orderBy: "_creationTime",
1042
- * order: "desc",
1043
- * });
1044
- * ```
1045
- */
1046
- list: (ctx: ComponentReadCtx, opts?: {
1047
- where?: {
1048
- tokenHash?: string;
1049
- groupId?: string;
1050
- status?: "pending" | "accepted" | "revoked" | "expired";
1051
- email?: string;
1052
- invitedByUserId?: string;
1053
- roleId?: string;
1054
- acceptedByUserId?: string;
1055
- };
1056
- limit?: number;
1057
- cursor?: string | null;
1058
- orderBy?: "_creationTime" | "status" | "email" | "expiresTime" | "acceptedTime";
1059
- order?: "asc" | "desc";
1060
- }) => Promise<any>;
1061
- /**
1062
- * Accept an invite by ID. Optionally specify who accepted it.
1063
- *
1064
- * Transitions the invite's status to `"accepted"` and optionally
1065
- * records the accepting user. Unlike `invite.token.accept`, this
1066
- * method does not automatically create a group membership — use it
1067
- * for admin-driven invite acceptance flows.
1068
- *
1069
- * @param ctx - Convex mutation context.
1070
- * @param inviteId - The invite's document ID.
1071
- * @param acceptedByUserId - The user who accepted the invite (optional).
1072
- * @returns `{ inviteId, acceptedByUserId }`.
1073
- *
1074
- * @example
1075
- * ```ts
1076
- * await auth.invite.accept(ctx, inviteId, userId);
1077
- * ```
1078
- */
1079
- accept: (ctx: ComponentCtx, inviteId: string, acceptedByUserId?: string) => Promise<{
1080
- inviteId: string;
1081
- acceptedByUserId: string | null;
1082
- }>;
1083
- /**
1084
- * Revoke a pending invite. Sets its status to `"revoked"`.
1085
- *
1086
- * Once revoked, the invite's token can no longer be used to accept
1087
- * the invitation. This is a permanent status change.
1088
- *
1089
- * @param ctx - Convex mutation context.
1090
- * @param inviteId - The invite's document ID.
1091
- * @returns `{ inviteId }`.
1092
- *
1093
- * @example
1094
- * ```ts
1095
- * await auth.invite.revoke(ctx, inviteId);
1096
- * ```
1097
- */
1098
- revoke: (ctx: ComponentCtx, inviteId: string) => Promise<{
1099
- inviteId: string;
1100
- }>;
1101
- };
1102
- key: {
1103
- /**
1104
- * Create an API key for programmatic access. The returned `secret`
1105
- * (prefixed `sk_`) is shown only once — it is stored as a hash.
1106
- *
1107
- * @param ctx - Convex mutation context.
1108
- * @param opts.userId - Owner of the key.
1109
- * @param opts.name - Human-readable name (e.g. `"CI Pipeline"`).
1110
- * @param opts.scopes - Array of `{ resource, actions }` permission scopes.
1111
- * @param opts.rateLimit - Optional per-key rate limit `{ maxRequests, windowMs }`.
1112
- * @param opts.expiresAt - Optional expiration timestamp (ms since epoch).
1113
- * @param opts.metadata - Arbitrary app-specific metadata.
1114
- * @returns `{ keyId, secret }`. Store `secret` securely — it cannot be retrieved later.
1115
- *
1116
- * @example
1117
- * ```ts
1118
- * const { secret } = await auth.key.create(ctx, {
1119
- * userId,
1120
- * name: "CI Pipeline",
1121
- * scopes: [{ resource: "data", actions: ["read"] }],
1122
- * });
1123
- * ```
1124
- */
1125
- create: (ctx: ComponentCtx, opts: {
1126
- userId: string;
1127
- name: string;
1128
- scopes: KeyScope[];
1129
- rateLimit?: {
1130
- maxRequests: number;
1131
- windowMs: number;
1132
- };
1133
- expiresAt?: number;
1134
- metadata?: Record<string, unknown>;
1135
- }) => Promise<{
1136
- keyId: string;
1137
- secret: string;
1138
- }>;
1139
- /**
1140
- * Verify an API key and return the owner's identity and scopes.
1141
- *
1142
- * Checks the key against the database, enforces expiration and rate
1143
- * limits, and returns a `ScopeChecker` for permission evaluation.
1144
- *
1145
- * @param ctx - Convex mutation context (updates `lastUsedAt` and rate limit state).
1146
- * @param rawKey - The raw `sk_*` key string.
1147
- * @returns `{ userId, keyId, scopes }` where `scopes.can(resource, action)` checks permissions.
1148
- * @throws `INVALID_API_KEY` if the key is not found.
1149
- * @throws `API_KEY_REVOKED` if the key was revoked.
1150
- * @throws `API_KEY_EXPIRED` if the key is past its `expiresAt`.
1151
- * @throws `API_KEY_RATE_LIMITED` if the rate limit is exceeded.
1152
- *
1153
- * @example
1154
- * ```ts
1155
- * const { userId, scopes } = await auth.key.verify(ctx, rawKey);
1156
- * const canRead = scopes.can("data", "read");
1157
- * ```
1158
- */
1159
- verify: (ctx: ComponentCtx, rawKey: string) => Promise<{
1160
- userId: string;
1161
- keyId: string;
1162
- scopes: ScopeChecker;
1163
- }>;
1164
- /**
1165
- * List API keys with optional filtering by user, revocation status, name,
1166
- * or prefix. Results are paginated. Does not expose raw key secrets.
1167
- *
1168
- * @param ctx - Convex query or mutation context.
1169
- * @param opts.where - Filter criteria (all optional, combined with AND).
1170
- * @param opts.limit - Max items per page (default 50, max 100).
1171
- * @param opts.cursor - Cursor from a previous `nextCursor` for pagination.
1172
- * @param opts.orderBy - Sort field: `"_creationTime"`, `"name"`, `"lastUsedAt"`, `"expiresAt"`, or `"revoked"`.
1173
- * @param opts.order - Sort direction: `"asc"` or `"desc"`.
1174
- * @returns `{ items, nextCursor }` — `nextCursor` is `null` when no more pages.
1175
- *
1176
- * @example
1177
- * ```ts
1178
- * const { items } = await auth.key.list(ctx, {
1179
- * where: { userId, revoked: false },
1180
- * orderBy: "lastUsedAt",
1181
- * order: "desc",
1182
- * });
1183
- * ```
1184
- */
1185
- list: (ctx: ComponentReadCtx, opts?: {
1186
- where?: {
1187
- userId?: string;
1188
- revoked?: boolean;
1189
- name?: string;
1190
- prefix?: string;
1191
- };
1192
- limit?: number;
1193
- cursor?: string | null;
1194
- orderBy?: "_creationTime" | "name" | "lastUsedAt" | "expiresAt" | "revoked";
1195
- order?: "asc" | "desc";
1196
- }) => Promise<any>;
1197
- /**
1198
- * Fetch an API key record by ID. Does not expose the raw key secret.
1199
- *
1200
- * Returns the key document including metadata, scopes, rate limit
1201
- * configuration, and revocation status. The raw secret is never
1202
- * stored or returned — only the hashed key and display prefix.
1203
- *
1204
- * @param ctx - Convex query or mutation context.
1205
- * @param keyId - The API key's document ID.
1206
- * @returns The key document, or `null` if not found.
1207
- *
1208
- * @example
1209
- * ```ts
1210
- * const key = await auth.key.get(ctx, keyId);
1211
- * if (!key) throw new Error("Key not found");
1212
- * console.log(key.name, key.prefix);
1213
- * ```
1214
- */
1215
- get: (ctx: ComponentReadCtx, keyId: string) => Promise<KeyDoc | null>;
1216
- /**
1217
- * Update a key's name, scopes, or rate limit.
1218
- *
1219
- * Patches the specified fields on the API key document. Only the
1220
- * provided fields are changed — omitted fields remain unchanged.
1221
- *
1222
- * @param ctx - Convex mutation context.
1223
- * @param keyId - The API key's document ID.
1224
- * @param data - Fields to merge into the key document.
1225
- * @returns `{ keyId }`.
1226
- *
1227
- * @example
1228
- * ```ts
1229
- * await auth.key.update(ctx, keyId, {
1230
- * name: "CI Pipeline (updated)",
1231
- * scopes: [{ resource: "data", actions: ["read", "write"] }],
1232
- * });
1233
- * ```
1234
- */
1235
- update: (ctx: ComponentCtx, keyId: string, data: {
1236
- name?: string;
1237
- scopes?: KeyScope[];
1238
- rateLimit?: {
1239
- maxRequests: number;
1240
- windowMs: number;
1241
- };
1242
- }) => Promise<{
1243
- keyId: string;
1244
- }>;
1245
- /**
1246
- * Soft-delete: set `revoked: true`. The key can no longer be verified.
1247
- *
1248
- * After revocation, any subsequent calls to `auth.key.verify` with
1249
- * this key will throw `API_KEY_REVOKED`.
1250
- * The key record is preserved for audit purposes.
1251
- *
1252
- * @param ctx - Convex mutation context.
1253
- * @param keyId - The API key's document ID.
1254
- * @returns `{ keyId }`.
1255
- *
1256
- * @example
1257
- * ```ts
1258
- * await auth.key.revoke(ctx, keyId);
1259
- * ```
1260
- */
1261
- revoke: (ctx: ComponentCtx, keyId: string) => Promise<{
1262
- keyId: string;
1263
- }>;
1264
- /**
1265
- * Hard-delete: permanently remove the key record.
1266
- *
1267
- * Unlike `revoke`, this permanently removes the key document from
1268
- * the database. Use this when you need to fully clean up a key
1269
- * rather than preserving it for audit history.
1270
- *
1271
- * @param ctx - Convex mutation context.
1272
- * @param keyId - The API key's document ID.
1273
- * @returns `{ keyId }`.
1274
- *
1275
- * @example
1276
- * ```ts
1277
- * await auth.key.delete(ctx, keyId);
1278
- * ```
1279
- */
1280
- delete: (ctx: ComponentCtx, keyId: string) => Promise<{
1281
- keyId: string;
1282
- }>;
1283
- /**
1284
- * Rotate a key: revokes the old key and creates a new one with the
1285
- * same user, scopes, and rate limit. Returns the new `keyId` and `secret`.
1286
- * Throws if the key does not exist or is already revoked.
1287
- *
1288
- * @param ctx - Convex mutation context.
1289
- * @param keyId - The existing API key's document ID to rotate.
1290
- * @param opts.name - Optional new name for the rotated key (defaults to the old name).
1291
- * @param opts.expiresAt - Optional new expiration timestamp in ms since epoch.
1292
- * @returns `{ keyId, secret }` with the new key.
1293
- * @throws `INVALID_PARAMETERS` if the key does not exist.
1294
- * @throws `API_KEY_REVOKED` if the key is already revoked.
1295
- *
1296
- * @example
1297
- * ```ts
1298
- * const { keyId, secret } = await auth.key.rotate(ctx, oldKeyId, {
1299
- * expiresAt: Date.now() + 30 * 24 * 60 * 60 * 1000, // 30 days
1300
- * });
1301
- * // Store secret securely — shown only once
1302
- * ```
1303
- */
1304
- rotate: (ctx: ComponentCtx, keyId: string, opts?: {
1305
- name?: string;
1306
- expiresAt?: number;
1307
- }) => Promise<{
1308
- keyId: string;
1309
- secret: string;
1310
- }>;
1311
- };
1312
- };
1313
- //#endregion
1314
- export { createCoreDomains };
1315
- //# sourceMappingURL=core.d.ts.map