@robelest/convex-auth 0.0.4-preview.25 → 0.0.4-preview.28
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +43 -36
- package/dist/bin.js +5765 -4880
- package/dist/browser/index.d.ts +30 -0
- package/dist/browser/index.js +93 -0
- package/dist/browser/locks.js +11 -0
- package/dist/browser/navigation.js +14 -0
- package/dist/{factors → browser}/passkey.js +23 -32
- package/dist/browser/runtime.js +92 -0
- package/dist/client/core/types.d.ts +452 -5
- package/dist/client/core/types.js +17 -0
- package/dist/client/errors.js +19 -0
- package/dist/client/factors/device.js +94 -0
- package/dist/{factors → client/factors}/totp.js +12 -4
- package/dist/client/index.d.ts +47 -1
- package/dist/client/index.js +269 -232
- package/dist/client/runtime/mutex.js +24 -0
- package/dist/client/runtime/proxy.js +30 -0
- package/dist/client/runtime/storage.js +45 -0
- package/dist/client/services/adapters.js +7 -0
- package/dist/client/services/http.js +6 -0
- package/dist/client/services/resolve.js +13 -0
- package/dist/client/services/runtime.js +6 -0
- package/dist/component/_generated/component.d.ts +1355 -1399
- package/dist/component/convex.config.d.ts +2 -2
- package/dist/component/index.d.ts +4 -26
- package/dist/component/index.js +1 -1
- package/dist/component/model.d.ts +26 -112
- package/dist/component/model.js +76 -54
- package/dist/component/modules.js +38 -0
- package/dist/component/public/factors/devices.js +1 -1
- package/dist/component/public/factors/passkeys.js +1 -1
- package/dist/component/public/factors/totp.js +1 -1
- package/dist/component/public/groups/core.js +2 -2
- package/dist/component/public/groups/invites.js +1 -1
- package/dist/component/public/groups/members.js +1 -1
- package/dist/component/public/identity/accounts.js +1 -1
- package/dist/component/public/identity/codes.js +1 -1
- package/dist/component/public/identity/sessions.js +39 -2
- package/dist/component/public/identity/tokens.js +82 -4
- package/dist/component/public/identity/users.js +1 -1
- package/dist/component/public/identity/verifiers.js +10 -4
- package/dist/component/public/security/keys.js +1 -1
- package/dist/component/public/security/limits.js +1 -1
- package/dist/component/public/{enterprise → sso}/audit.js +26 -26
- package/dist/component/public/sso/core.js +263 -0
- package/dist/component/public/sso/domains.js +280 -0
- package/dist/component/public/{enterprise → sso}/scim.js +87 -87
- package/dist/component/public/sso/secrets.js +125 -0
- package/dist/component/public/{enterprise → sso}/webhooks.js +59 -59
- package/dist/component/public.js +9 -9
- package/dist/component/schema.d.ts +472 -393
- package/dist/component/schema.js +36 -35
- package/dist/core/index.d.ts +380 -0
- package/dist/core/index.js +83 -0
- package/dist/otel.d.ts +69 -0
- package/dist/otel.js +82 -0
- package/dist/providers/anonymous.d.ts +15 -34
- package/dist/providers/anonymous.js +27 -35
- package/dist/providers/apple.d.ts +59 -0
- package/dist/providers/apple.js +58 -0
- package/dist/providers/credentials.d.ts +18 -34
- package/dist/providers/credentials.js +16 -27
- package/dist/providers/custom.d.ts +94 -0
- package/dist/providers/custom.js +119 -0
- package/dist/providers/device.d.ts +15 -49
- package/dist/providers/device.js +17 -34
- package/dist/providers/email.d.ts +21 -38
- package/dist/providers/email.js +36 -55
- package/dist/providers/github.d.ts +54 -0
- package/dist/providers/github.js +75 -0
- package/dist/providers/google.d.ts +54 -0
- package/dist/providers/google.js +61 -0
- package/dist/providers/index.d.ts +16 -12
- package/dist/providers/index.js +15 -11
- package/dist/providers/microsoft.d.ts +57 -0
- package/dist/providers/microsoft.js +101 -0
- package/dist/providers/passkey.d.ts +19 -35
- package/dist/providers/passkey.js +20 -30
- package/dist/providers/password.d.ts +17 -18
- package/dist/providers/password.js +121 -143
- package/dist/providers/phone.d.ts +13 -28
- package/dist/providers/phone.js +21 -46
- package/dist/providers/sso.d.ts +16 -36
- package/dist/providers/sso.js +21 -22
- package/dist/providers/totp.d.ts +13 -29
- package/dist/providers/totp.js +17 -27
- package/dist/server/auth-context.d.ts +204 -0
- package/dist/server/auth-context.js +76 -0
- package/dist/server/auth.d.ts +99 -244
- package/dist/server/auth.js +56 -152
- package/dist/server/componentContext.d.ts +12 -0
- package/dist/server/componentContext.js +1 -0
- package/dist/server/config.js +6 -67
- package/dist/server/constants.js +6 -0
- package/dist/server/contract.d.ts +105 -0
- package/dist/server/contract.js +43 -0
- package/dist/server/cookies.js +3 -2
- package/dist/server/core.js +31 -36
- package/dist/server/crypto.js +34 -44
- package/dist/server/db.js +6 -1
- package/dist/server/device.js +96 -130
- package/dist/server/env.js +48 -0
- package/dist/server/errors.js +20 -0
- package/dist/server/http.d.ts +15 -59
- package/dist/server/http.js +136 -120
- package/dist/server/identity.js +2 -2
- package/dist/server/index.d.ts +5 -4
- package/dist/server/index.js +3 -3
- package/dist/server/keys.js +10 -1
- package/dist/server/limits.js +26 -26
- package/dist/server/log.js +28 -0
- package/dist/server/mounts.d.ts +1107 -296
- package/dist/server/mounts.js +315 -196
- package/dist/server/mutations/account.js +11 -14
- package/dist/server/mutations/code.js +6 -5
- package/dist/server/mutations/invalidate.js +9 -11
- package/dist/server/mutations/oauth.js +112 -73
- package/dist/server/mutations/refresh.js +47 -97
- package/dist/server/mutations/register.js +37 -35
- package/dist/server/mutations/retrieve.js +16 -16
- package/dist/server/mutations/signature.js +15 -18
- package/dist/server/mutations/signin.js +10 -5
- package/dist/server/mutations/signout.js +11 -14
- package/dist/server/mutations/store.js +25 -18
- package/dist/server/mutations/verifier.js +11 -8
- package/dist/server/mutations/verify.js +53 -41
- package/dist/server/oauth/factory.js +44 -0
- package/dist/server/oauth/index.js +12 -0
- package/dist/server/oauth/runtime.js +248 -0
- package/dist/server/passkey.js +331 -365
- package/dist/server/payloads.d.ts +16 -0
- package/dist/server/payloads.js +30 -0
- package/dist/server/{ssr.d.ts → prefetch.d.ts} +2 -2
- package/dist/server/prefetch.js +635 -0
- package/dist/server/random.js +19 -0
- package/dist/server/redirects.js +10 -5
- package/dist/server/refresh.js +14 -86
- package/dist/server/runtime.d.ts +531 -31
- package/dist/server/runtime.js +106 -267
- package/dist/server/secret.js +44 -0
- package/dist/server/services/config.js +10 -0
- package/dist/server/services/group.js +211 -0
- package/dist/server/services/logger.js +8 -0
- package/dist/server/services/providers.js +22 -0
- package/dist/server/services/refresh.js +8 -0
- package/dist/server/services/resolve.js +27 -0
- package/dist/server/services/signin.js +8 -0
- package/dist/server/sessions.js +35 -34
- package/dist/server/signin.js +229 -140
- package/dist/server/{enterprise → sso}/config.js +10 -3
- package/dist/server/sso/domain.d.ts +614 -0
- package/dist/server/sso/domain.js +1175 -0
- package/dist/server/sso/http.js +1060 -0
- package/dist/server/sso/oidc.js +324 -0
- package/dist/server/sso/policies.js +59 -0
- package/dist/server/sso/policy.js +139 -0
- package/dist/server/sso/profile.js +22 -0
- package/dist/server/sso/provision.js +179 -0
- package/dist/{component/server/enterprise → server/sso}/saml.js +142 -56
- package/dist/{component/server/enterprise → server/sso}/scim.js +13 -7
- package/dist/server/sso/shared.js +74 -0
- package/dist/server/sso/validators.js +88 -0
- package/dist/server/sso/webhook.js +94 -0
- package/dist/server/tokens.js +16 -4
- package/dist/server/totp.js +155 -164
- package/dist/server/types.d.ts +306 -296
- package/dist/server/types.js +1 -30
- package/dist/server/url.js +32 -0
- package/dist/server/users.js +74 -40
- package/dist/server/utils/cache.js +51 -0
- package/dist/server/utils/dispatch.js +36 -0
- package/dist/server/utils/retry.js +24 -0
- package/dist/server/utils/span.js +32 -0
- package/dist/shared/errors.js +19 -0
- package/dist/shared/log.js +45 -0
- package/{src/test.ts → dist/test.d.ts} +21 -22
- package/dist/test.js +51 -0
- package/package.json +70 -42
- package/dist/authorization/index.d.ts.map +0 -1
- package/dist/authorization/index.js.map +0 -1
- package/dist/client/core/types.d.ts.map +0 -1
- package/dist/client/index.d.ts.map +0 -1
- package/dist/client/index.js.map +0 -1
- package/dist/component/_generated/api.d.ts +0 -75
- package/dist/component/_generated/api.d.ts.map +0 -1
- package/dist/component/_generated/api.js.map +0 -1
- package/dist/component/_generated/component.d.ts.map +0 -1
- package/dist/component/_generated/dataModel.d.ts +0 -42
- package/dist/component/_generated/dataModel.d.ts.map +0 -1
- package/dist/component/_generated/server.d.ts +0 -117
- package/dist/component/_generated/server.d.ts.map +0 -1
- package/dist/component/_generated/server.js.map +0 -1
- package/dist/component/_virtual/rolldown_runtime.js +0 -18
- package/dist/component/client/core/types.d.ts +0 -2
- package/dist/component/client/index.d.ts +0 -1
- package/dist/component/convex.config.d.ts.map +0 -1
- package/dist/component/convex.config.js.map +0 -1
- package/dist/component/functions.d.ts +0 -25
- package/dist/component/functions.d.ts.map +0 -1
- package/dist/component/functions.js.map +0 -1
- package/dist/component/index.d.ts.map +0 -1
- package/dist/component/model.d.ts.map +0 -1
- package/dist/component/model.js.map +0 -1
- package/dist/component/providers/anonymous.d.ts +0 -54
- package/dist/component/providers/anonymous.d.ts.map +0 -1
- package/dist/component/providers/credentials.d.ts +0 -38
- package/dist/component/providers/credentials.d.ts.map +0 -1
- package/dist/component/providers/device.d.ts +0 -67
- package/dist/component/providers/device.d.ts.map +0 -1
- package/dist/component/providers/email.d.ts +0 -62
- package/dist/component/providers/email.d.ts.map +0 -1
- package/dist/component/providers/oauth.d.ts +0 -25
- package/dist/component/providers/oauth.d.ts.map +0 -1
- package/dist/component/providers/oauth.js +0 -13
- package/dist/component/providers/oauth.js.map +0 -1
- package/dist/component/providers/passkey.d.ts +0 -57
- package/dist/component/providers/passkey.d.ts.map +0 -1
- package/dist/component/providers/password.d.ts +0 -88
- package/dist/component/providers/password.d.ts.map +0 -1
- package/dist/component/providers/phone.d.ts +0 -48
- package/dist/component/providers/phone.d.ts.map +0 -1
- package/dist/component/providers/sso.d.ts +0 -50
- package/dist/component/providers/sso.d.ts.map +0 -1
- package/dist/component/providers/totp.d.ts +0 -45
- package/dist/component/providers/totp.d.ts.map +0 -1
- package/dist/component/public/enterprise/audit.d.ts +0 -73
- package/dist/component/public/enterprise/audit.d.ts.map +0 -1
- package/dist/component/public/enterprise/audit.js.map +0 -1
- package/dist/component/public/enterprise/core.d.ts +0 -176
- package/dist/component/public/enterprise/core.d.ts.map +0 -1
- package/dist/component/public/enterprise/core.js +0 -292
- package/dist/component/public/enterprise/core.js.map +0 -1
- package/dist/component/public/enterprise/domains.d.ts +0 -174
- package/dist/component/public/enterprise/domains.d.ts.map +0 -1
- package/dist/component/public/enterprise/domains.js +0 -271
- package/dist/component/public/enterprise/domains.js.map +0 -1
- package/dist/component/public/enterprise/scim.d.ts +0 -245
- package/dist/component/public/enterprise/scim.d.ts.map +0 -1
- package/dist/component/public/enterprise/scim.js.map +0 -1
- package/dist/component/public/enterprise/secrets.d.ts +0 -78
- package/dist/component/public/enterprise/secrets.d.ts.map +0 -1
- package/dist/component/public/enterprise/secrets.js +0 -118
- package/dist/component/public/enterprise/secrets.js.map +0 -1
- package/dist/component/public/enterprise/webhooks.d.ts +0 -211
- package/dist/component/public/enterprise/webhooks.d.ts.map +0 -1
- package/dist/component/public/enterprise/webhooks.js.map +0 -1
- package/dist/component/public/factors/devices.d.ts +0 -157
- package/dist/component/public/factors/devices.d.ts.map +0 -1
- package/dist/component/public/factors/devices.js.map +0 -1
- package/dist/component/public/factors/passkeys.d.ts +0 -175
- package/dist/component/public/factors/passkeys.d.ts.map +0 -1
- package/dist/component/public/factors/passkeys.js.map +0 -1
- package/dist/component/public/factors/totp.d.ts +0 -189
- package/dist/component/public/factors/totp.d.ts.map +0 -1
- package/dist/component/public/factors/totp.js.map +0 -1
- package/dist/component/public/groups/core.d.ts +0 -137
- package/dist/component/public/groups/core.d.ts.map +0 -1
- package/dist/component/public/groups/core.js.map +0 -1
- package/dist/component/public/groups/invites.d.ts +0 -217
- package/dist/component/public/groups/invites.d.ts.map +0 -1
- package/dist/component/public/groups/invites.js.map +0 -1
- package/dist/component/public/groups/members.d.ts +0 -204
- package/dist/component/public/groups/members.d.ts.map +0 -1
- package/dist/component/public/groups/members.js.map +0 -1
- package/dist/component/public/identity/accounts.d.ts +0 -147
- package/dist/component/public/identity/accounts.d.ts.map +0 -1
- package/dist/component/public/identity/accounts.js.map +0 -1
- package/dist/component/public/identity/codes.d.ts +0 -104
- package/dist/component/public/identity/codes.d.ts.map +0 -1
- package/dist/component/public/identity/codes.js.map +0 -1
- package/dist/component/public/identity/sessions.d.ts +0 -128
- package/dist/component/public/identity/sessions.d.ts.map +0 -1
- package/dist/component/public/identity/sessions.js.map +0 -1
- package/dist/component/public/identity/tokens.d.ts +0 -169
- package/dist/component/public/identity/tokens.d.ts.map +0 -1
- package/dist/component/public/identity/tokens.js.map +0 -1
- package/dist/component/public/identity/users.d.ts +0 -212
- package/dist/component/public/identity/users.d.ts.map +0 -1
- package/dist/component/public/identity/users.js.map +0 -1
- package/dist/component/public/identity/verifiers.d.ts +0 -116
- package/dist/component/public/identity/verifiers.d.ts.map +0 -1
- package/dist/component/public/identity/verifiers.js.map +0 -1
- package/dist/component/public/security/keys.d.ts +0 -209
- package/dist/component/public/security/keys.d.ts.map +0 -1
- package/dist/component/public/security/keys.js.map +0 -1
- package/dist/component/public/security/limits.d.ts +0 -114
- package/dist/component/public/security/limits.d.ts.map +0 -1
- package/dist/component/public/security/limits.js.map +0 -1
- package/dist/component/public.d.ts +0 -28
- package/dist/component/public.d.ts.map +0 -1
- package/dist/component/schema.d.ts.map +0 -1
- package/dist/component/schema.js.map +0 -1
- package/dist/component/server/auth.d.ts +0 -447
- package/dist/component/server/auth.d.ts.map +0 -1
- package/dist/component/server/auth.js +0 -254
- package/dist/component/server/auth.js.map +0 -1
- package/dist/component/server/config.js +0 -121
- package/dist/component/server/config.js.map +0 -1
- package/dist/component/server/context.js +0 -53
- package/dist/component/server/context.js.map +0 -1
- package/dist/component/server/cookies.js +0 -47
- package/dist/component/server/cookies.js.map +0 -1
- package/dist/component/server/core.js +0 -576
- package/dist/component/server/core.js.map +0 -1
- package/dist/component/server/crypto.js +0 -56
- package/dist/component/server/crypto.js.map +0 -1
- package/dist/component/server/db.js +0 -87
- package/dist/component/server/db.js.map +0 -1
- package/dist/component/server/device.js +0 -152
- package/dist/component/server/device.js.map +0 -1
- package/dist/component/server/enterprise/config.js +0 -46
- package/dist/component/server/enterprise/config.js.map +0 -1
- package/dist/component/server/enterprise/domain.js +0 -974
- package/dist/component/server/enterprise/domain.js.map +0 -1
- package/dist/component/server/enterprise/http.js +0 -787
- package/dist/component/server/enterprise/http.js.map +0 -1
- package/dist/component/server/enterprise/oidc.js +0 -248
- package/dist/component/server/enterprise/oidc.js.map +0 -1
- package/dist/component/server/enterprise/policy.js +0 -85
- package/dist/component/server/enterprise/policy.js.map +0 -1
- package/dist/component/server/enterprise/saml.js.map +0 -1
- package/dist/component/server/enterprise/scim.js.map +0 -1
- package/dist/component/server/enterprise/shared.js +0 -51
- package/dist/component/server/enterprise/shared.js.map +0 -1
- package/dist/component/server/http.d.ts +0 -85
- package/dist/component/server/http.d.ts.map +0 -1
- package/dist/component/server/http.js +0 -351
- package/dist/component/server/http.js.map +0 -1
- package/dist/component/server/identity.js +0 -16
- package/dist/component/server/identity.js.map +0 -1
- package/dist/component/server/keys.js +0 -96
- package/dist/component/server/keys.js.map +0 -1
- package/dist/component/server/limits.js +0 -52
- package/dist/component/server/limits.js.map +0 -1
- package/dist/component/server/mutations/account.js +0 -46
- package/dist/component/server/mutations/account.js.map +0 -1
- package/dist/component/server/mutations/code.js +0 -68
- package/dist/component/server/mutations/code.js.map +0 -1
- package/dist/component/server/mutations/invalidate.js +0 -32
- package/dist/component/server/mutations/invalidate.js.map +0 -1
- package/dist/component/server/mutations/oauth.js +0 -116
- package/dist/component/server/mutations/oauth.js.map +0 -1
- package/dist/component/server/mutations/refresh.js +0 -119
- package/dist/component/server/mutations/refresh.js.map +0 -1
- package/dist/component/server/mutations/register.js +0 -87
- package/dist/component/server/mutations/register.js.map +0 -1
- package/dist/component/server/mutations/retrieve.js +0 -61
- package/dist/component/server/mutations/retrieve.js.map +0 -1
- package/dist/component/server/mutations/signature.js +0 -38
- package/dist/component/server/mutations/signature.js.map +0 -1
- package/dist/component/server/mutations/signin.js +0 -27
- package/dist/component/server/mutations/signin.js.map +0 -1
- package/dist/component/server/mutations/signout.js +0 -27
- package/dist/component/server/mutations/signout.js.map +0 -1
- package/dist/component/server/mutations/store/refs.js +0 -15
- package/dist/component/server/mutations/store/refs.js.map +0 -1
- package/dist/component/server/mutations/store.js +0 -70
- package/dist/component/server/mutations/store.js.map +0 -1
- package/dist/component/server/mutations/verifier.js +0 -18
- package/dist/component/server/mutations/verifier.js.map +0 -1
- package/dist/component/server/mutations/verify.js +0 -98
- package/dist/component/server/mutations/verify.js.map +0 -1
- package/dist/component/server/oauth.js +0 -242
- package/dist/component/server/oauth.js.map +0 -1
- package/dist/component/server/passkey.js +0 -415
- package/dist/component/server/passkey.js.map +0 -1
- package/dist/component/server/redirects.js +0 -40
- package/dist/component/server/redirects.js.map +0 -1
- package/dist/component/server/refresh.js +0 -99
- package/dist/component/server/refresh.js.map +0 -1
- package/dist/component/server/runtime.d.ts +0 -136
- package/dist/component/server/runtime.d.ts.map +0 -1
- package/dist/component/server/runtime.js +0 -456
- package/dist/component/server/runtime.js.map +0 -1
- package/dist/component/server/sessions.js +0 -71
- package/dist/component/server/sessions.js.map +0 -1
- package/dist/component/server/signin.js +0 -225
- package/dist/component/server/signin.js.map +0 -1
- package/dist/component/server/tokens.js +0 -17
- package/dist/component/server/tokens.js.map +0 -1
- package/dist/component/server/totp.js +0 -208
- package/dist/component/server/totp.js.map +0 -1
- package/dist/component/server/types.d.ts +0 -949
- package/dist/component/server/types.d.ts.map +0 -1
- package/dist/component/server/types.js +0 -79
- package/dist/component/server/types.js.map +0 -1
- package/dist/component/server/users.js +0 -123
- package/dist/component/server/users.js.map +0 -1
- package/dist/component/server/utils.js +0 -140
- package/dist/component/server/utils.js.map +0 -1
- package/dist/core/types.d.ts +0 -361
- package/dist/core/types.d.ts.map +0 -1
- package/dist/factors/device.js +0 -104
- package/dist/factors/device.js.map +0 -1
- package/dist/factors/passkey.js.map +0 -1
- package/dist/factors/totp.js.map +0 -1
- package/dist/providers/anonymous.d.ts.map +0 -1
- package/dist/providers/anonymous.js.map +0 -1
- package/dist/providers/credentials.d.ts.map +0 -1
- package/dist/providers/credentials.js.map +0 -1
- package/dist/providers/device.d.ts.map +0 -1
- package/dist/providers/device.js.map +0 -1
- package/dist/providers/email.d.ts.map +0 -1
- package/dist/providers/email.js.map +0 -1
- package/dist/providers/oauth.d.ts +0 -69
- package/dist/providers/oauth.d.ts.map +0 -1
- package/dist/providers/oauth.js +0 -43
- package/dist/providers/oauth.js.map +0 -1
- package/dist/providers/passkey.d.ts.map +0 -1
- package/dist/providers/passkey.js.map +0 -1
- package/dist/providers/password.d.ts.map +0 -1
- package/dist/providers/password.js.map +0 -1
- package/dist/providers/phone.d.ts.map +0 -1
- package/dist/providers/phone.js.map +0 -1
- package/dist/providers/sso.d.ts.map +0 -1
- package/dist/providers/sso.js.map +0 -1
- package/dist/providers/totp.d.ts.map +0 -1
- package/dist/providers/totp.js.map +0 -1
- package/dist/runtime/browser.js +0 -68
- package/dist/runtime/browser.js.map +0 -1
- package/dist/runtime/invite.js.map +0 -1
- package/dist/runtime/proxy.js +0 -70
- package/dist/runtime/proxy.js.map +0 -1
- package/dist/runtime/storage.js +0 -37
- package/dist/runtime/storage.js.map +0 -1
- package/dist/server/auth.d.ts.map +0 -1
- package/dist/server/auth.js.map +0 -1
- package/dist/server/config.d.ts +0 -1
- package/dist/server/config.js.map +0 -1
- package/dist/server/context.d.ts +0 -1
- package/dist/server/context.js.map +0 -1
- package/dist/server/cookies.d.ts +0 -1
- package/dist/server/cookies.js.map +0 -1
- package/dist/server/core.d.ts +0 -1315
- package/dist/server/core.d.ts.map +0 -1
- package/dist/server/core.js.map +0 -1
- package/dist/server/crypto.d.ts +0 -8
- package/dist/server/crypto.d.ts.map +0 -1
- package/dist/server/crypto.js.map +0 -1
- package/dist/server/db.d.ts +0 -1
- package/dist/server/db.js.map +0 -1
- package/dist/server/device.d.ts +0 -1
- package/dist/server/device.js.map +0 -1
- package/dist/server/enterprise/config.d.ts +0 -1
- package/dist/server/enterprise/config.js.map +0 -1
- package/dist/server/enterprise/domain.d.ts +0 -401
- package/dist/server/enterprise/domain.d.ts.map +0 -1
- package/dist/server/enterprise/domain.js +0 -974
- package/dist/server/enterprise/domain.js.map +0 -1
- package/dist/server/enterprise/http.d.ts +0 -26
- package/dist/server/enterprise/http.d.ts.map +0 -1
- package/dist/server/enterprise/http.js +0 -787
- package/dist/server/enterprise/http.js.map +0 -1
- package/dist/server/enterprise/oidc.d.ts +0 -1
- package/dist/server/enterprise/oidc.js +0 -248
- package/dist/server/enterprise/oidc.js.map +0 -1
- package/dist/server/enterprise/policy.d.ts +0 -1
- package/dist/server/enterprise/policy.js +0 -85
- package/dist/server/enterprise/policy.js.map +0 -1
- package/dist/server/enterprise/saml.d.ts +0 -1
- package/dist/server/enterprise/saml.js +0 -338
- package/dist/server/enterprise/saml.js.map +0 -1
- package/dist/server/enterprise/scim.d.ts +0 -1
- package/dist/server/enterprise/scim.js +0 -97
- package/dist/server/enterprise/scim.js.map +0 -1
- package/dist/server/enterprise/shared.d.ts +0 -5
- package/dist/server/enterprise/shared.d.ts.map +0 -1
- package/dist/server/enterprise/shared.js +0 -51
- package/dist/server/enterprise/shared.js.map +0 -1
- package/dist/server/enterprise/validators.d.ts +0 -1
- package/dist/server/enterprise/validators.js +0 -60
- package/dist/server/enterprise/validators.js.map +0 -1
- package/dist/server/http.d.ts.map +0 -1
- package/dist/server/http.js.map +0 -1
- package/dist/server/identity.d.ts +0 -1
- package/dist/server/identity.js.map +0 -1
- package/dist/server/keys.d.ts +0 -1
- package/dist/server/keys.js.map +0 -1
- package/dist/server/limits.d.ts +0 -1
- package/dist/server/limits.js.map +0 -1
- package/dist/server/mounts.d.ts.map +0 -1
- package/dist/server/mounts.js.map +0 -1
- package/dist/server/mutations/account.d.ts +0 -29
- package/dist/server/mutations/account.d.ts.map +0 -1
- package/dist/server/mutations/account.js.map +0 -1
- package/dist/server/mutations/code.d.ts +0 -30
- package/dist/server/mutations/code.d.ts.map +0 -1
- package/dist/server/mutations/code.js.map +0 -1
- package/dist/server/mutations/index.d.ts +0 -14
- package/dist/server/mutations/invalidate.d.ts +0 -20
- package/dist/server/mutations/invalidate.d.ts.map +0 -1
- package/dist/server/mutations/invalidate.js.map +0 -1
- package/dist/server/mutations/oauth.d.ts +0 -30
- package/dist/server/mutations/oauth.d.ts.map +0 -1
- package/dist/server/mutations/oauth.js.map +0 -1
- package/dist/server/mutations/refresh.d.ts +0 -21
- package/dist/server/mutations/refresh.d.ts.map +0 -1
- package/dist/server/mutations/refresh.js.map +0 -1
- package/dist/server/mutations/register.d.ts +0 -38
- package/dist/server/mutations/register.d.ts.map +0 -1
- package/dist/server/mutations/register.js.map +0 -1
- package/dist/server/mutations/retrieve.d.ts +0 -33
- package/dist/server/mutations/retrieve.d.ts.map +0 -1
- package/dist/server/mutations/retrieve.js.map +0 -1
- package/dist/server/mutations/signature.d.ts +0 -21
- package/dist/server/mutations/signature.d.ts.map +0 -1
- package/dist/server/mutations/signature.js.map +0 -1
- package/dist/server/mutations/signin.d.ts +0 -22
- package/dist/server/mutations/signin.d.ts.map +0 -1
- package/dist/server/mutations/signin.js.map +0 -1
- package/dist/server/mutations/signout.d.ts +0 -16
- package/dist/server/mutations/signout.d.ts.map +0 -1
- package/dist/server/mutations/signout.js.map +0 -1
- package/dist/server/mutations/store/refs.d.ts +0 -12
- package/dist/server/mutations/store/refs.d.ts.map +0 -1
- package/dist/server/mutations/store/refs.js.map +0 -1
- package/dist/server/mutations/store.d.ts +0 -306
- package/dist/server/mutations/store.d.ts.map +0 -1
- package/dist/server/mutations/store.js.map +0 -1
- package/dist/server/mutations/verifier.d.ts +0 -13
- package/dist/server/mutations/verifier.d.ts.map +0 -1
- package/dist/server/mutations/verifier.js.map +0 -1
- package/dist/server/mutations/verify.d.ts +0 -26
- package/dist/server/mutations/verify.d.ts.map +0 -1
- package/dist/server/mutations/verify.js.map +0 -1
- package/dist/server/oauth.d.ts +0 -1
- package/dist/server/oauth.js +0 -242
- package/dist/server/oauth.js.map +0 -1
- package/dist/server/passkey.d.ts +0 -27
- package/dist/server/passkey.d.ts.map +0 -1
- package/dist/server/passkey.js.map +0 -1
- package/dist/server/redirects.d.ts +0 -1
- package/dist/server/redirects.js.map +0 -1
- package/dist/server/refresh.d.ts +0 -1
- package/dist/server/refresh.js.map +0 -1
- package/dist/server/runtime.d.ts.map +0 -1
- package/dist/server/runtime.js.map +0 -1
- package/dist/server/sessions.d.ts +0 -1
- package/dist/server/sessions.js.map +0 -1
- package/dist/server/signin.d.ts +0 -1
- package/dist/server/signin.js.map +0 -1
- package/dist/server/ssr.d.ts.map +0 -1
- package/dist/server/ssr.js +0 -777
- package/dist/server/ssr.js.map +0 -1
- package/dist/server/templates.d.ts +0 -1
- package/dist/server/templates.js.map +0 -1
- package/dist/server/tokens.d.ts +0 -1
- package/dist/server/tokens.js.map +0 -1
- package/dist/server/totp.d.ts +0 -1
- package/dist/server/totp.js.map +0 -1
- package/dist/server/types.d.ts.map +0 -1
- package/dist/server/types.js.map +0 -1
- package/dist/server/users.d.ts +0 -1
- package/dist/server/users.js.map +0 -1
- package/dist/server/utils.d.ts +0 -1
- package/dist/server/utils.js +0 -140
- package/dist/server/utils.js.map +0 -1
- package/src/authorization/index.ts +0 -83
- package/src/cli/bin.ts +0 -5
- package/src/cli/command.ts +0 -70
- package/src/cli/index.ts +0 -1112
- package/src/cli/keys.ts +0 -23
- package/src/client/core/types.ts +0 -437
- package/src/client/factors/device.ts +0 -158
- package/src/client/factors/passkey.ts +0 -279
- package/src/client/factors/totp.ts +0 -150
- package/src/client/index.ts +0 -1124
- package/src/client/runtime/browser.ts +0 -112
- package/src/client/runtime/invite.ts +0 -63
- package/src/client/runtime/proxy.ts +0 -111
- package/src/client/runtime/storage.ts +0 -79
- package/src/component/_generated/api.ts +0 -96
- package/src/component/_generated/component.ts +0 -3774
- package/src/component/_generated/dataModel.ts +0 -60
- package/src/component/_generated/server.ts +0 -156
- package/src/component/convex.config.ts +0 -5
- package/src/component/functions.ts +0 -104
- package/src/component/index.ts +0 -42
- package/src/component/model.ts +0 -449
- package/src/component/public/enterprise/audit.ts +0 -125
- package/src/component/public/enterprise/core.ts +0 -355
- package/src/component/public/enterprise/domains.ts +0 -327
- package/src/component/public/enterprise/scim.ts +0 -397
- package/src/component/public/enterprise/secrets.ts +0 -133
- package/src/component/public/enterprise/webhooks.ts +0 -307
- package/src/component/public/factors/devices.ts +0 -224
- package/src/component/public/factors/passkeys.ts +0 -243
- package/src/component/public/factors/totp.ts +0 -259
- package/src/component/public/groups/core.ts +0 -481
- package/src/component/public/groups/invites.ts +0 -608
- package/src/component/public/groups/members.ts +0 -410
- package/src/component/public/identity/accounts.ts +0 -207
- package/src/component/public/identity/codes.ts +0 -149
- package/src/component/public/identity/sessions.ts +0 -210
- package/src/component/public/identity/tokens.ts +0 -251
- package/src/component/public/identity/users.ts +0 -355
- package/src/component/public/identity/verifiers.ts +0 -158
- package/src/component/public/security/keys.ts +0 -366
- package/src/component/public/security/limits.ts +0 -174
- package/src/component/public.ts +0 -27
- package/src/component/schema.ts +0 -505
- package/src/providers/anonymous.ts +0 -99
- package/src/providers/credentials.ts +0 -102
- package/src/providers/device.ts +0 -87
- package/src/providers/email.ts +0 -99
- package/src/providers/index.ts +0 -31
- package/src/providers/oauth.ts +0 -117
- package/src/providers/passkey.ts +0 -77
- package/src/providers/password.ts +0 -441
- package/src/providers/phone.ts +0 -93
- package/src/providers/sso.ts +0 -54
- package/src/providers/totp.ts +0 -62
- package/src/samlify.d.ts +0 -53
- package/src/server/auth.ts +0 -949
- package/src/server/config.ts +0 -200
- package/src/server/context.ts +0 -90
- package/src/server/cookies.ts +0 -49
- package/src/server/core.ts +0 -2004
- package/src/server/crypto.ts +0 -90
- package/src/server/db.ts +0 -203
- package/src/server/device.ts +0 -254
- package/src/server/enterprise/config.ts +0 -51
- package/src/server/enterprise/domain.ts +0 -1739
- package/src/server/enterprise/http.ts +0 -1331
- package/src/server/enterprise/oidc.ts +0 -500
- package/src/server/enterprise/policy.ts +0 -128
- package/src/server/enterprise/saml.ts +0 -578
- package/src/server/enterprise/scim.ts +0 -135
- package/src/server/enterprise/shared.ts +0 -134
- package/src/server/enterprise/validators.ts +0 -93
- package/src/server/http.ts +0 -790
- package/src/server/identity.ts +0 -18
- package/src/server/index.ts +0 -40
- package/src/server/keys.ts +0 -158
- package/src/server/limits.ts +0 -107
- package/src/server/mounts.ts +0 -924
- package/src/server/mutations/account.ts +0 -62
- package/src/server/mutations/code.ts +0 -119
- package/src/server/mutations/index.ts +0 -13
- package/src/server/mutations/invalidate.ts +0 -50
- package/src/server/mutations/oauth.ts +0 -243
- package/src/server/mutations/refresh.ts +0 -299
- package/src/server/mutations/register.ts +0 -155
- package/src/server/mutations/retrieve.ts +0 -109
- package/src/server/mutations/signature.ts +0 -57
- package/src/server/mutations/signin.ts +0 -54
- package/src/server/mutations/signout.ts +0 -43
- package/src/server/mutations/store/refs.ts +0 -10
- package/src/server/mutations/store.ts +0 -123
- package/src/server/mutations/verifier.ts +0 -34
- package/src/server/mutations/verify.ts +0 -200
- package/src/server/oauth.ts +0 -418
- package/src/server/passkey.ts +0 -838
- package/src/server/redirects.ts +0 -59
- package/src/server/refresh.ts +0 -218
- package/src/server/runtime.ts +0 -918
- package/src/server/sessions.ts +0 -132
- package/src/server/signin.ts +0 -445
- package/src/server/ssr.ts +0 -1747
- package/src/server/templates.ts +0 -82
- package/src/server/tokens.ts +0 -35
- package/src/server/totp.ts +0 -399
- package/src/server/types.ts +0 -1942
- package/src/server/users.ts +0 -291
- package/src/server/utils.ts +0 -220
- /package/dist/{runtime → client/runtime}/invite.js +0 -0
package/dist/server/ssr.js.map
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"ssr.js","names":["host","error","tokens"],"sources":["../../src/server/ssr.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { ConvexHttpClient } from \"convex/browser\";\nimport { makeFunctionReference } from \"convex/server\";\nimport { ConvexError } from \"convex/values\";\nimport { parse, serialize } from \"cookie\";\nimport { jwtDecode } from \"jwt-decode\";\n\nimport type {\n SignInAction,\n SignInActionResult,\n SignOutAction,\n} from \"./runtime\";\nimport { isLocalHost } from \"./utils\";\n\nconst signInActionRef: SignInAction = makeFunctionReference(\"auth:signIn\");\nconst signOutActionRef: SignOutAction = makeFunctionReference(\"auth:signOut\");\n\n/** Cookie lifetime configuration for auth tokens. */\nexport type AuthCookieConfig = {\n /** Maximum age in seconds, or `null` for session cookies. */\n maxAge: number | null;\n};\n\n/** Raw cookie values extracted from a request. */\nexport type AuthCookies = {\n /** The JWT access token, or `null` when absent. */\n token: string | null;\n /** The refresh token, or `null` when absent. */\n refreshToken: string | null;\n /** The OAuth PKCE verifier, or `null` when absent. */\n verifier: string | null;\n};\n\n/** A structured cookie ready to be set via any framework's cookie API. */\nexport type AuthCookie = {\n name: string;\n value: string;\n options: {\n path: string;\n httpOnly: boolean;\n secure: boolean;\n sameSite: \"lax\" | \"strict\" | \"none\";\n maxAge?: number;\n expires?: Date;\n };\n};\n\n/**\n * Options for the SSR auth helper returned by {@link server}.\n */\nexport type ServerOptions = {\n /** Convex deployment API URL (e.g. `https://your-app.convex.cloud`). */\n url: string;\n /**\n * Accepted JWT issuers for `refresh()` and `verify()`.\n *\n * By default, this is derived from `url`. If `url` ends with\n * `.convex.cloud`, the matching `.convex.site` issuer is also accepted.\n */\n acceptedIssuers?: string[];\n /**\n * Path the client POSTs auth actions to. Defaults to `\"/api/auth\"`.\n * Must match the `proxyPath` option on the client.\n *\n * @defaultValue \"/api/auth\"\n */\n apiRoute?: string;\n /** Cookie `maxAge` in seconds, or `null` for session cookies. */\n cookieMaxAge?: number | null;\n /** Enable verbose debug logging for token refresh and cookie operations. */\n verbose?: boolean;\n /**\n * Optional namespace for auth cookie names.\n *\n * Use this to isolate auth cookies between multiple local apps on the same host.\n * If omitted, a deterministic deployment-scoped namespace is derived from `url`.\n */\n cookieNamespace?: string;\n /**\n * Control whether `refresh()` handles OAuth `?code=` query parameters.\n *\n * - `true` (default): always exchange the code on GET requests with `text/html` accept.\n * - `false`: never exchange — useful when only the client handles codes.\n * - A function: called with the `Request` for per-request decisions.\n *\n * @defaultValue true\n */\n shouldHandleCode?:\n | ((request: Request) => boolean | Promise<boolean>)\n | boolean;\n};\n\n/**\n * Result returned from `server().refresh()`.\n *\n * Covers both normal SSR refreshes and OAuth code-exchange redirects.\n */\nexport type RefreshResult =\n | {\n /** Code exchange occurred — return the pre-built redirect `Response`. */\n redirect: true;\n /** 302 redirect with Set-Cookie headers already serialized. */\n response: Response;\n }\n | {\n /** No redirect — apply cookies and read the token. */\n redirect: false;\n /** Structured cookies to set on the response. */\n cookies: AuthCookie[];\n /** JWT for SSR hydration, or `null` if not authenticated. */\n token: string | null;\n };\n\nconst TOKEN_COOKIE_BASE_NAME = \"__convexAuthJWT\";\nconst REFRESH_COOKIE_BASE_NAME = \"__convexAuthRefreshToken\";\nconst VERIFIER_COOKIE_BASE_NAME = \"__convexAuthOAuthVerifier\";\nconst DERIVED_COOKIE_NAMESPACE_FALLBACK = \"convexauth\";\n\n/**\n * Derive the cookie names used for auth tokens.\n *\n * On localhost the names are unprefixed; on production hosts they\n * use the `__Host-` prefix for tighter security.\n *\n * @param host - The `Host` header value. Omit to use unprefixed names.\n * @param cookieNamespace - Optional namespace suffix for cookie isolation.\n * @returns An object with `token`, `refreshToken`, and `verifier` cookie names.\n */\nexport function authCookieNames(\n host?: string,\n cookieNamespace?: string | null,\n) {\n const prefix = isLocalHost(host) ? \"\" : \"__Host-\";\n const namespace = normalizeCookieNamespace(cookieNamespace);\n const suffix = namespace === null ? \"\" : `_${namespace}`;\n return {\n token: `${prefix}${TOKEN_COOKIE_BASE_NAME}${suffix}`,\n refreshToken: `${prefix}${REFRESH_COOKIE_BASE_NAME}${suffix}`,\n verifier: `${prefix}${VERIFIER_COOKIE_BASE_NAME}${suffix}`,\n };\n}\n\n/**\n * Parse auth cookie values from a raw `Cookie` header string.\n *\n * @param cookieHeader - The raw `Cookie` header, or `null`/`undefined`.\n * @param host - The `Host` header, used to determine cookie name prefixes.\n * @param cookieNamespace - Optional namespace suffix for cookie isolation.\n * @returns Parsed {@link AuthCookies} with `token`, `refreshToken`, and `verifier`.\n */\nexport function parseAuthCookies(\n cookieHeader: string | null | undefined,\n host?: string,\n cookieNamespace?: string | null,\n): AuthCookies {\n const names = authCookieNames(host, cookieNamespace);\n const parsed = parse(cookieHeader ?? \"\");\n return {\n token: parsed[names.token] ?? null,\n refreshToken: parsed[names.refreshToken] ?? null,\n verifier: parsed[names.verifier] ?? null,\n };\n}\n\n/**\n * Serialize auth cookies into `Set-Cookie` header strings.\n *\n * Nulled-out values produce deletion cookies (maxAge 0, expired date).\n *\n * @param cookies - The auth cookie values to serialize.\n * @param host - The `Host` header, used for cookie name prefixes and `Secure` flag.\n * @param config - Cookie lifetime config. Defaults to session cookies.\n * @param cookieNamespace - Optional namespace suffix for cookie isolation.\n * @returns An array of three `Set-Cookie` header strings.\n */\nexport function serializeAuthCookies(\n cookies: AuthCookies,\n host?: string,\n config: AuthCookieConfig = { maxAge: null },\n cookieNamespace?: string | null,\n) {\n const names = authCookieNames(host, cookieNamespace);\n const secure = !isLocalHost(host);\n const base = {\n path: \"/\",\n httpOnly: true,\n sameSite: \"lax\" as const,\n secure,\n };\n const maxAge = config.maxAge ?? undefined;\n const serialized = [\n serialize(names.token, cookies.token ?? \"\", {\n ...base,\n maxAge: cookies.token === null ? 0 : maxAge,\n expires: cookies.token === null ? new Date(0) : undefined,\n }),\n serialize(names.refreshToken, cookies.refreshToken ?? \"\", {\n ...base,\n maxAge: cookies.refreshToken === null ? 0 : maxAge,\n expires: cookies.refreshToken === null ? new Date(0) : undefined,\n }),\n serialize(names.verifier, cookies.verifier ?? \"\", {\n ...base,\n maxAge: cookies.verifier === null ? 0 : maxAge,\n expires: cookies.verifier === null ? new Date(0) : undefined,\n }),\n ];\n return serialized;\n}\n\n/**\n * Build structured cookie objects for any SSR framework.\n *\n * Use with SvelteKit's `event.cookies.set()`, TanStack Start's `setCookie()`,\n * Next.js's `cookies().set()`, or any other framework cookie API.\n *\n * @param cookies - The auth cookie values to convert.\n * @param host - The `Host` header, used for cookie name prefixes and `Secure`.\n * @param config - Cookie lifetime config. Defaults to session cookies.\n * @param cookieNamespace - Optional namespace suffix for cookie isolation.\n * @returns Structured cookie descriptors ready for framework cookie APIs.\n */\nexport function structuredAuthCookies(\n cookies: AuthCookies,\n host?: string,\n config: AuthCookieConfig = { maxAge: null },\n cookieNamespace?: string | null,\n): AuthCookie[] {\n const names = authCookieNames(host, cookieNamespace);\n const secure = !isLocalHost(host);\n const base = {\n path: \"/\" as const,\n httpOnly: true as const,\n secure,\n sameSite: \"lax\" as const,\n };\n const maxAge = config.maxAge ?? undefined;\n const structured: AuthCookie[] = [\n {\n name: names.token,\n value: cookies.token ?? \"\",\n options: {\n ...base,\n maxAge: cookies.token === null ? 0 : maxAge,\n expires: cookies.token === null ? new Date(0) : undefined,\n },\n },\n {\n name: names.refreshToken,\n value: cookies.refreshToken ?? \"\",\n options: {\n ...base,\n maxAge: cookies.refreshToken === null ? 0 : maxAge,\n expires: cookies.refreshToken === null ? new Date(0) : undefined,\n },\n },\n {\n name: names.verifier,\n value: cookies.verifier ?? \"\",\n options: {\n ...base,\n maxAge: cookies.verifier === null ? 0 : maxAge,\n expires: cookies.verifier === null ? new Date(0) : undefined,\n },\n },\n ];\n\n return structured;\n}\n\n/**\n * Check whether a request pathname matches the auth proxy route.\n *\n * Handles trailing-slash ambiguity: both `/api/auth` and `/api/auth/`\n * match regardless of how `apiRoute` is configured.\n *\n * @param pathname - The request URL pathname.\n * @param apiRoute - The configured proxy route (e.g. `\"/api/auth\"`).\n * @returns `true` when the pathname matches the proxy route.\n *\n * @see {@link server}\n */\nexport function shouldProxyAuthAction(pathname: string, apiRoute: string) {\n if (apiRoute.endsWith(\"/\")) {\n return pathname === apiRoute || pathname === apiRoute.slice(0, -1);\n }\n return pathname === apiRoute || pathname === `${apiRoute}/`;\n}\n\nconst REQUIRED_TOKEN_LIFETIME_MS = 60_000;\nconst MINIMUM_REQUIRED_TOKEN_LIFETIME_MS = 10_000;\n\ntype DecodedToken = { exp?: number; iat?: number; iss?: string };\n\nfunction normalizeCookieNamespace(cookieNamespace?: string | null) {\n if (cookieNamespace === undefined || cookieNamespace === null) {\n return null;\n }\n const normalized = cookieNamespace\n .trim()\n .replace(/[^a-zA-Z0-9]+/g, \"_\")\n .replace(/^_+|_+$/g, \"\")\n .toLowerCase();\n return normalized.length > 0 ? normalized : null;\n}\n\n/**\n * Safely check if a string is a valid URL without throwing.\n */\nfunction canParseUrl(value: string): boolean {\n try {\n new URL(value);\n return true;\n } catch {\n return false;\n }\n}\n\nfunction serializeAuthCookie(cookie: AuthCookie): string {\n const parts = [\n `${cookie.name}=${cookie.value}`,\n `Path=${cookie.options.path}`,\n ];\n if (cookie.options.httpOnly) parts.push(\"HttpOnly\");\n if (cookie.options.secure) parts.push(\"Secure\");\n if (cookie.options.sameSite)\n parts.push(`SameSite=${cookie.options.sameSite}`);\n if (cookie.options.maxAge !== undefined)\n parts.push(`Max-Age=${cookie.options.maxAge}`);\n if (cookie.options.expires)\n parts.push(`Expires=${cookie.options.expires.toUTCString()}`);\n return parts.join(\"; \");\n}\n\nfunction buildRedirectResponse(\n location: string,\n cookies: AuthCookie[],\n): Response {\n const headers = new Headers({ Location: location });\n for (const cookie of cookies) {\n headers.append(\"Set-Cookie\", serializeAuthCookie(cookie));\n }\n return new Response(null, { status: 302, headers });\n}\n\nfunction deriveCookieNamespaceFromUrl(url: string) {\n if (!canParseUrl(url)) return DERIVED_COOKIE_NAMESPACE_FALLBACK;\n const parsed = new URL(url);\n const raw = `${parsed.hostname}${parsed.pathname}`;\n return normalizeCookieNamespace(raw) ?? DERIVED_COOKIE_NAMESPACE_FALLBACK;\n}\n\nfunction normalizeIssuer(value: string) {\n if (!canParseUrl(value)) return value.replace(/\\/+$/, \"\");\n const parsed = new URL(value);\n const pathname =\n parsed.pathname === \"/\" ? \"\" : parsed.pathname.replace(/\\/+$/, \"\");\n return `${parsed.protocol}//${parsed.host}${pathname}`;\n}\n\nfunction convexSiteIssuerFromCloudUrl(value: string) {\n if (!canParseUrl(value)) return null;\n const parsed = new URL(value);\n if (!parsed.hostname.endsWith(\".convex.cloud\")) {\n return null;\n }\n parsed.hostname =\n parsed.hostname.slice(0, -\".convex.cloud\".length) + \".convex.site\";\n return normalizeIssuer(parsed.toString());\n}\n\nfunction defaultAcceptedIssuersForUrl(value: string) {\n const issuers = [normalizeIssuer(value)];\n const siteIssuer = convexSiteIssuerFromCloudUrl(value);\n if (siteIssuer !== null) {\n issuers.push(siteIssuer);\n }\n return issuers;\n}\n\n/**\n * Create an SSR auth helper for server-side frameworks.\n *\n * Handles cookie-based token management, OAuth code exchange,\n * and automatic JWT refresh on page loads. Works with any\n * framework that gives you a `Request` object — SvelteKit,\n * TanStack Start, Remix, Next.js, etc.\n *\n * @param options - SSR configuration (Convex API URL, issuer rules, proxy route, cookie lifetime).\n * @returns An object with `token`, `verify`, `proxy`, and `refresh` methods.\n *\n * @example SvelteKit hooks\n * ```ts\n * // src/hooks.server.ts\n * import { server } from '@robelest/convex-auth/server';\n *\n * const auth = server({ url: CONVEX_URL });\n *\n * export const handle = async ({ event, resolve }) => {\n * const { cookies, token } = await auth.refresh(event.request);\n * for (const c of cookies) event.cookies.set(c.name, c.value, c.options);\n * event.locals.token = token;\n * return resolve(event);\n * };\n * ```\n *\n * @example Generic proxy endpoint\n * ```ts\n * if (shouldProxyAuthAction(url.pathname, '/api/auth')) {\n * return auth.proxy(request);\n * }\n * ```\n *\n * @param options - Server-side auth configuration including Convex URL,\n * accepted issuers, proxy route, and cookie behavior.\n * @returns SSR helpers for reading tokens, refreshing cookies, and proxying\n * auth actions through an httpOnly-cookie layer.\n *\n * @see {@link shouldProxyAuthAction}\n */\nexport function server(options: ServerOptions) {\n const convexUrl = options.url;\n const apiRoute = options.apiRoute ?? \"/api/auth\";\n const cookieConfig = { maxAge: options.cookieMaxAge ?? null };\n const verbose = options.verbose ?? false;\n const cookieNamespace =\n normalizeCookieNamespace(options.cookieNamespace) ??\n deriveCookieNamespaceFromUrl(convexUrl);\n const acceptedIssuers = new Set(\n (options.acceptedIssuers ?? defaultAcceptedIssuersForUrl(convexUrl))\n .map(normalizeIssuer)\n .filter((issuer) => issuer.length > 0),\n );\n\n return {\n /**\n * Read the JWT from the request cookies without any validation.\n *\n * @param request - The incoming HTTP request.\n * @returns The raw JWT string, or `null` when no token cookie exists.\n */\n token(request: Request): string | null {\n return parseAuthCookies(\n request.headers.get(\"cookie\"),\n request.headers.get(\"host\") ?? new URL(request.url).host,\n cookieNamespace,\n ).token;\n },\n\n /**\n * Check whether the request carries a non-expired JWT.\n *\n * Performs local expiration checking only (no network call).\n * Use for lightweight auth guards in middleware.\n *\n * @param request - The incoming HTTP request.\n * @returns `true` when a valid, non-expired JWT exists in the cookies.\n */\n async verify(request: Request): Promise<boolean> {\n const token = parseAuthCookies(\n request.headers.get(\"cookie\"),\n request.headers.get(\"host\") ?? new URL(request.url).host,\n cookieNamespace,\n ).token;\n if (token === null) {\n return false;\n }\n const decodedToken = await Fx.run(\n Fx.attempt(\n async () => jwtDecode<DecodedToken>(token),\n (decoded) => decoded,\n () => null,\n ),\n );\n if (decodedToken?.exp === undefined || decodedToken.iss === undefined) {\n return false;\n }\n if (!acceptedIssuers.has(normalizeIssuer(decodedToken.iss))) {\n return false;\n }\n return decodedToken.exp * 1000 > Date.now();\n },\n\n /**\n * Handle a proxied `signIn` or `signOut` POST from the client.\n *\n * Validates the route, method, and origin, then forwards the\n * action to Convex and returns a `Response` with updated\n * `Set-Cookie` headers. The client never sees the real\n * refresh token — it stays in httpOnly cookies.\n *\n * @param request - The incoming POST request from the client.\n * @returns A JSON `Response` with auth result and cookie headers.\n */\n async proxy(request: Request): Promise<Response> {\n const requestUrl = new URL(request.url);\n const requestDispatch = !shouldProxyAuthAction(\n requestUrl.pathname,\n apiRoute,\n )\n ? { kind: \"invalidRoute\" as const }\n : request.method !== \"POST\"\n ? { kind: \"invalidMethod\" as const }\n : (() => {\n const originHeader = request.headers.get(\"origin\");\n if (originHeader === null) {\n return false;\n }\n const forwardedProtoHeader =\n request.headers.get(\"x-forwarded-proto\");\n const protocol =\n forwardedProtoHeader !== null\n ? (() => {\n const forwardedProto = forwardedProtoHeader\n .split(\",\")[0]\n ?.trim();\n if (\n forwardedProto !== undefined &&\n forwardedProto.length > 0\n ) {\n return forwardedProto.endsWith(\":\")\n ? forwardedProto\n : `${forwardedProto}:`;\n }\n return new URL(request.url).protocol;\n })()\n : new URL(request.url).protocol;\n const requestHost =\n request.headers.get(\"host\") ?? new URL(request.url).host;\n const hostCandidate = `${protocol}//${requestHost}`;\n const host = canParseUrl(hostCandidate)\n ? new URL(hostCandidate).host\n : requestHost;\n if (!canParseUrl(originHeader)) {\n return true;\n }\n const originUrl = new URL(originHeader);\n return (\n originUrl.host !== host || originUrl.protocol !== protocol\n );\n })()\n ? { kind: \"invalidOrigin\" as const }\n : { kind: \"valid\" as const };\n\n const validationErrorResponse = await Fx.run(\n Fx.match(requestDispatch, requestDispatch.kind, {\n invalidRoute: () => new Response(\"Invalid route\", { status: 404 }),\n invalidMethod: () => new Response(\"Invalid method\", { status: 405 }),\n invalidOrigin: () => new Response(\"Invalid origin\", { status: 403 }),\n valid: () => null,\n }),\n );\n if (validationErrorResponse !== null) {\n return validationErrorResponse;\n }\n\n const body = await Fx.run(\n Fx.attempt(\n async () => {\n const parsed = await request.json();\n if (typeof parsed !== \"object\" || parsed === null) {\n return null;\n }\n return parsed as Record<string, unknown>;\n },\n (parsed) => parsed,\n () => null,\n ),\n );\n if (body === null) {\n return new Response(\"Invalid request body\", { status: 400 });\n }\n\n const action = body.action as string;\n const args =\n typeof body.args === \"object\" && body.args !== null\n ? (body.args as Record<string, any>)\n : {};\n\n const actionDispatch =\n action === \"auth:signIn\"\n ? { action: \"sessionStart\" as const }\n : action === \"auth:signOut\"\n ? { action: \"sessionStop\" as const }\n : null;\n\n if (actionDispatch === null) {\n return new Response(\"Invalid action\", { status: 400 });\n }\n\n const host = request.headers.get(\"host\") ?? new URL(request.url).host;\n const currentCookies = parseAuthCookies(\n request.headers.get(\"cookie\"),\n host,\n cookieNamespace,\n );\n\n return Fx.run(\n Fx.match(actionDispatch, actionDispatch.action, {\n sessionStart: (_) =>\n Fx.promise(async () => {\n const refreshDispatch =\n args.refreshToken === undefined\n ? { kind: \"passthrough\" as const }\n : currentCookies.refreshToken === null\n ? { kind: \"refreshRequestedWithoutCookie\" as const }\n : {\n kind: \"hydrateRefreshFromCookie\" as const,\n refreshToken: currentCookies.refreshToken,\n };\n\n const refreshResponse = await Fx.run(\n Fx.match(refreshDispatch, refreshDispatch.kind, {\n passthrough: async () => null,\n hydrateRefreshFromCookie: async ({ refreshToken }) => {\n args.refreshToken = refreshToken;\n return null;\n },\n refreshRequestedWithoutCookie: async () => {\n const currentToken = currentCookies.token;\n const decodedToken =\n currentToken === null\n ? null\n : await Fx.run(\n Fx.attempt(\n async () => jwtDecode<DecodedToken>(currentToken),\n (decoded) => decoded,\n () => null,\n ),\n );\n const tokenDispatch =\n currentToken !== null &&\n decodedToken?.exp !== undefined &&\n decodedToken.iss !== undefined &&\n acceptedIssuers.has(normalizeIssuer(decodedToken.iss)) &&\n decodedToken.exp * 1000 > Date.now()\n ? {\n kind: \"validToken\" as const,\n token: currentToken,\n }\n : { kind: \"missingToken\" as const };\n return await Fx.run(\n Fx.match(tokenDispatch, tokenDispatch.kind, {\n validToken: ({ token }) =>\n new Response(\n JSON.stringify({\n tokens: {\n token,\n refreshToken: \"dummy\",\n },\n }),\n {\n status: 200,\n headers: {\n \"Content-Type\": \"application/json\",\n },\n },\n ),\n missingToken: () =>\n new Response(JSON.stringify({ tokens: null }), {\n status: 200,\n headers: {\n \"Content-Type\": \"application/json\",\n },\n }),\n }),\n );\n },\n }),\n );\n const refreshDecision =\n refreshResponse !== null\n ? {\n kind: \"shortCircuit\" as const,\n response: refreshResponse,\n }\n : { kind: \"continue\" as const };\n const maybeShortCircuitResponse = await Fx.run(\n Fx.match(refreshDecision, refreshDecision.kind, {\n shortCircuit: ({ response }) => response,\n continue: () => null,\n }),\n );\n if (maybeShortCircuitResponse !== null) {\n return maybeShortCircuitResponse;\n }\n\n const client = new ConvexHttpClient(convexUrl);\n const authDispatch =\n args.refreshToken === undefined &&\n args.params?.code === undefined &&\n currentCookies.token !== null\n ? {\n kind: \"attachAuth\" as const,\n token: currentCookies.token,\n }\n : { kind: \"skipAuth\" as const };\n await Fx.run(\n Fx.match(authDispatch, authDispatch.kind, {\n attachAuth: ({ token }) => {\n client.setAuth(token);\n },\n skipAuth: () => undefined,\n }),\n );\n return Fx.run(\n Fx.from({\n ok: () => client.action(signInActionRef, args),\n err: (error) => error,\n }).pipe(\n Fx.fold({\n ok: (result: SignInActionResult) =>\n Fx.run(\n Fx.match(result, result.kind, {\n redirect: (redirectResult) => {\n const response = new Response(\n JSON.stringify({\n kind: \"redirect\",\n redirect: redirectResult.redirect,\n verifier: redirectResult.verifier,\n }),\n {\n status: 200,\n headers: {\n \"Content-Type\": \"application/json\",\n },\n },\n );\n for (const value of serializeAuthCookies(\n {\n ...currentCookies,\n verifier: redirectResult.verifier,\n },\n host,\n cookieConfig,\n cookieNamespace,\n )) {\n response.headers.append(\"Set-Cookie\", value);\n }\n return Fx.succeed(response);\n },\n signedIn: (signedInResult) => {\n const response = new Response(\n JSON.stringify({\n kind: \"signedIn\",\n tokens:\n signedInResult.tokens === null\n ? null\n : {\n token: signedInResult.tokens.token,\n refreshToken: \"dummy\",\n },\n }),\n {\n status: 200,\n headers: {\n \"Content-Type\": \"application/json\",\n },\n },\n );\n for (const value of serializeAuthCookies(\n {\n token: signedInResult.tokens?.token ?? null,\n refreshToken:\n signedInResult.tokens?.refreshToken ?? null,\n verifier: null,\n },\n host,\n cookieConfig,\n cookieNamespace,\n )) {\n response.headers.append(\"Set-Cookie\", value);\n }\n return Fx.succeed(response);\n },\n started: (startedResult) =>\n Fx.succeed(\n new Response(JSON.stringify(startedResult), {\n status: 200,\n headers: {\n \"Content-Type\": \"application/json\",\n },\n }),\n ),\n passkeyOptions: (passkeyOptionsResult) =>\n Fx.succeed(\n new Response(\n JSON.stringify(passkeyOptionsResult),\n {\n status: 200,\n headers: {\n \"Content-Type\": \"application/json\",\n },\n },\n ),\n ),\n totpRequired: (totpRequiredResult) =>\n Fx.succeed(\n new Response(JSON.stringify(totpRequiredResult), {\n status: 200,\n headers: {\n \"Content-Type\": \"application/json\",\n },\n }),\n ),\n totpSetup: (totpSetupResult) =>\n Fx.succeed(\n new Response(JSON.stringify(totpSetupResult), {\n status: 200,\n headers: {\n \"Content-Type\": \"application/json\",\n },\n }),\n ),\n deviceCode: (deviceCodeResult) =>\n Fx.succeed(\n new Response(JSON.stringify(deviceCodeResult), {\n status: 200,\n headers: {\n \"Content-Type\": \"application/json\",\n },\n }),\n ),\n }),\n ),\n err: (error: unknown) => {\n const errorBody =\n error instanceof ConvexError &&\n typeof error.data === \"object\" &&\n error.data !== null &&\n \"code\" in error.data\n ? {\n error:\n (error.data as { message?: string }).message ??\n String(error),\n authError: error.data,\n }\n : {\n error:\n error instanceof Error\n ? error.message\n : String(error),\n };\n const response = new Response(JSON.stringify(errorBody), {\n status: 400,\n headers: {\n \"Content-Type\": \"application/json\",\n },\n });\n const clearSession =\n args.refreshToken !== undefined &&\n error instanceof ConvexError &&\n typeof error.data === \"object\" &&\n error.data !== null &&\n (error.data as Record<string, unknown>).code ===\n \"INVALID_REFRESH_TOKEN\";\n for (const value of serializeAuthCookies(\n {\n token: clearSession ? null : currentCookies.token,\n refreshToken: clearSession\n ? null\n : currentCookies.refreshToken,\n verifier: null,\n },\n host,\n cookieConfig,\n cookieNamespace,\n )) {\n response.headers.append(\"Set-Cookie\", value);\n }\n return response;\n },\n }),\n ),\n );\n }),\n sessionStop: (_) =>\n Fx.promise(async () => {\n await Fx.run(\n Fx.from({\n ok: () =>\n (() => {\n const client = new ConvexHttpClient(convexUrl);\n if (currentCookies.token !== null) {\n client.setAuth(currentCookies.token);\n }\n return client.action(signOutActionRef);\n })(),\n err: (error) => error,\n }).pipe(\n Fx.recover((error: unknown) => {\n console.error(\n \"[convex-auth/server] proxy sign-out failed\",\n error,\n );\n const fallbackDispatch =\n currentCookies.refreshToken !== null\n ? {\n kind: \"attemptFallback\" as const,\n refreshToken: currentCookies.refreshToken,\n }\n : { kind: \"skipFallback\" as const };\n return Fx.match(fallbackDispatch, fallbackDispatch.kind, {\n attemptFallback: ({ refreshToken }) =>\n Fx.from({\n ok: async () => {\n const refreshClient = new ConvexHttpClient(\n convexUrl,\n );\n const refreshed = (await refreshClient.action(\n signInActionRef,\n {\n refreshToken,\n },\n )) as SignInActionResult;\n const refreshedTokens = await Fx.run(\n Fx.match(refreshed, refreshed.kind, {\n signedIn: (signedInResult) =>\n Fx.succeed(signedInResult.tokens),\n redirect: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for sign-out fallback refresh\",\n ),\n ),\n started: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for sign-out fallback refresh\",\n ),\n ),\n passkeyOptions: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for sign-out fallback refresh\",\n ),\n ),\n totpRequired: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for sign-out fallback refresh\",\n ),\n ),\n totpSetup: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for sign-out fallback refresh\",\n ),\n ),\n deviceCode: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for sign-out fallback refresh\",\n ),\n ),\n }),\n );\n const fallbackSignOutDispatch =\n refreshedTokens !== null\n ? {\n kind: \"signOutWithRefreshed\" as const,\n token: refreshedTokens.token,\n }\n : { kind: \"skipRefreshedSignOut\" as const };\n await Fx.run(\n Fx.match(\n fallbackSignOutDispatch,\n fallbackSignOutDispatch.kind,\n {\n signOutWithRefreshed: ({ token }) =>\n Fx.promise(async () => {\n const client = new ConvexHttpClient(\n convexUrl,\n );\n client.setAuth(token);\n await client.action(signOutActionRef);\n }),\n skipRefreshedSignOut: () =>\n Fx.succeed(undefined),\n },\n ),\n );\n },\n err: (error) => error,\n }).pipe(\n Fx.recover((fallbackError: unknown) => {\n console.error(\n \"[convex-auth/server] proxy sign-out fallback failed\",\n fallbackError,\n );\n return Fx.succeed(undefined);\n }),\n ),\n skipFallback: () => Fx.succeed(undefined),\n });\n }),\n Fx.map(() => undefined),\n ),\n );\n const response = new Response(JSON.stringify(null), {\n status: 200,\n headers: {\n \"Content-Type\": \"application/json\",\n },\n });\n for (const value of serializeAuthCookies(\n {\n token: null,\n refreshToken: null,\n verifier: null,\n },\n host,\n cookieConfig,\n cookieNamespace,\n )) {\n response.headers.append(\"Set-Cookie\", value);\n }\n return response;\n }),\n }),\n );\n },\n\n /**\n * Refresh auth tokens on page load.\n *\n * Call this in your server hooks/middleware on every request.\n * It handles three scenarios:\n *\n * 1. **OAuth code exchange** — exchanges a `?code=` query param for tokens and returns a redirect URL.\n * 2. **Token refresh** — refreshes the JWT if it's close to expiry.\n * 3. **No-op** — returns the existing token when no refresh is needed.\n *\n * @param request - The incoming HTTP request.\n * @returns Structured cookies to set on the response, an optional redirect URL, and the current JWT.\n */\n async refresh(request: Request): Promise<RefreshResult> {\n const host = request.headers.get(\"host\") ?? new URL(request.url).host;\n const currentCookies = parseAuthCookies(\n request.headers.get(\"cookie\"),\n host,\n cookieNamespace,\n );\n const currentToken = currentCookies.token;\n\n // CORS request — do not mutate auth cookies from cross-origin requests.\n const originHeader = request.headers.get(\"origin\");\n const forwardedProtoHeader = request.headers.get(\"x-forwarded-proto\");\n const protocol =\n forwardedProtoHeader !== null\n ? (() => {\n const forwardedProto = forwardedProtoHeader.split(\",\")[0]?.trim();\n if (forwardedProto !== undefined && forwardedProto.length > 0) {\n return forwardedProto.endsWith(\":\")\n ? forwardedProto\n : `${forwardedProto}:`;\n }\n return new URL(request.url).protocol;\n })()\n : new URL(request.url).protocol;\n const requestHost =\n request.headers.get(\"host\") ?? new URL(request.url).host;\n const hostCandidate = `${protocol}//${requestHost}`;\n const normalizedHost = canParseUrl(hostCandidate)\n ? new URL(hostCandidate).host\n : requestHost;\n const originUrl =\n originHeader !== null && canParseUrl(originHeader)\n ? new URL(originHeader)\n : null;\n const corsRequest =\n originHeader !== null &&\n (originUrl === null ||\n originUrl.host !== normalizedHost ||\n originUrl.protocol !== protocol);\n const corsDispatch = corsRequest\n ? { kind: \"crossOrigin\" as const }\n : { kind: \"sameOrigin\" as const };\n const corsRefreshResult = await Fx.run(\n Fx.match(corsDispatch, corsDispatch.kind, {\n crossOrigin: () =>\n ({\n redirect: false,\n cookies: [],\n token: null,\n }) satisfies RefreshResult,\n sameOrigin: () => null,\n }),\n );\n if (corsRefreshResult !== null) {\n return corsRefreshResult;\n }\n\n // OAuth code exchange — exchange code for tokens and redirect.\n const requestUrl = new URL(request.url);\n const code = requestUrl.searchParams.get(\"code\");\n const shouldHandleCode =\n options.shouldHandleCode === undefined\n ? true\n : typeof options.shouldHandleCode === \"function\"\n ? await options.shouldHandleCode(request)\n : options.shouldHandleCode;\n\n const codeExchangeDispatch =\n code !== null &&\n request.method === \"GET\" &&\n request.headers.get(\"accept\")?.includes(\"text/html\") &&\n shouldHandleCode\n ? { kind: \"exchange\" as const, code }\n : { kind: \"skip\" as const };\n const codeExchangeResult = await Fx.run(\n Fx.match(codeExchangeDispatch, codeExchangeDispatch.kind, {\n exchange: async ({\n code: verificationCode,\n }): Promise<RefreshResult> => {\n const redirectUrl = new URL(requestUrl.toString());\n return Fx.run(\n Fx.from({\n ok: async () => {\n const client = new ConvexHttpClient(convexUrl);\n const result = (await client.action(signInActionRef, {\n params: { code: verificationCode },\n verifier: currentCookies.verifier ?? undefined,\n })) as SignInActionResult;\n const tokens = await Fx.run(\n Fx.match(result, result.kind, {\n signedIn: (signedInResult) =>\n Fx.succeed(signedInResult.tokens),\n redirect: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for code exchange\",\n ),\n ),\n started: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for code exchange\",\n ),\n ),\n passkeyOptions: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for code exchange\",\n ),\n ),\n totpRequired: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for code exchange\",\n ),\n ),\n totpSetup: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for code exchange\",\n ),\n ),\n deviceCode: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for code exchange\",\n ),\n ),\n }),\n );\n return { kind: \"signedIn\" as const, tokens };\n },\n err: (error) => error,\n }).pipe(\n Fx.fold({\n ok: (result): RefreshResult => {\n redirectUrl.searchParams.delete(\"code\");\n const cookies = structuredAuthCookies(\n {\n token: result.tokens?.token ?? null,\n refreshToken: result.tokens?.refreshToken ?? null,\n verifier: null,\n },\n host,\n cookieConfig,\n cookieNamespace,\n );\n return {\n redirect: true,\n response: buildRedirectResponse(\n redirectUrl.toString(),\n cookies,\n ),\n };\n },\n err: (error: unknown): RefreshResult => {\n console.error(\n \"[convex-auth/server] code exchange failed\",\n error,\n );\n const errorCode =\n error instanceof ConvexError &&\n typeof error.data === \"object\" &&\n error.data !== null &&\n typeof (error.data as Record<string, unknown>).code ===\n \"string\"\n ? ((error.data as Record<string, unknown>)\n .code as string)\n : null;\n const terminalCodeExchangeError =\n errorCode === \"OAUTH_INVALID_STATE\" ||\n errorCode === \"OAUTH_PROVIDER_ERROR\" ||\n errorCode === \"OAUTH_MISSING_ID_TOKEN\" ||\n errorCode === \"OAUTH_INVALID_PROFILE\" ||\n errorCode === \"OAUTH_MISSING_VERIFIER\" ||\n errorCode === \"INVALID_VERIFIER\" ||\n errorCode === \"INVALID_VERIFICATION_CODE\";\n if (!terminalCodeExchangeError) {\n return {\n redirect: false,\n cookies: [],\n token: currentCookies.token,\n };\n }\n redirectUrl.searchParams.delete(\"code\");\n const cookies = structuredAuthCookies(\n {\n token: currentCookies.token,\n refreshToken: currentCookies.refreshToken,\n verifier: null,\n },\n host,\n cookieConfig,\n cookieNamespace,\n );\n return {\n redirect: true,\n response: buildRedirectResponse(\n redirectUrl.toString(),\n cookies,\n ),\n };\n },\n }),\n ),\n );\n },\n skip: async () => null,\n }),\n );\n const codeExchangeDecision =\n codeExchangeResult !== null\n ? { kind: \"done\" as const, result: codeExchangeResult }\n : { kind: \"continue\" as const };\n const maybeCodeExchangeResult = await Fx.run(\n Fx.match(codeExchangeDecision, codeExchangeDecision.kind, {\n done: ({ result }) => result,\n continue: () => null,\n }),\n );\n if (maybeCodeExchangeResult !== null) {\n return maybeCodeExchangeResult;\n }\n\n // Normal page load — refresh tokens if needed.\n const tokens = await Fx.run(\n Fx.gen(function* () {\n const { token, refreshToken } = currentCookies;\n\n const isMalformedRefreshToken =\n refreshToken !== null &&\n (refreshToken.trim().length === 0 || refreshToken === \"dummy\");\n const malformedRefreshTokenDispatch = isMalformedRefreshToken\n ? { kind: \"malformed\" as const }\n : { kind: \"ok\" as const };\n const malformedRefreshTokenResult = yield* Fx.match(\n malformedRefreshTokenDispatch,\n malformedRefreshTokenDispatch.kind,\n {\n malformed: () => {\n if (verbose) {\n console.debug(\n `${new Date().toISOString()} [convex-auth/server] Refresh token cookie malformed, clearing auth cookies`,\n );\n }\n return null;\n },\n ok: () => undefined,\n },\n );\n if (malformedRefreshTokenResult !== undefined) {\n return malformedRefreshTokenResult;\n }\n\n const decodedToken =\n token === null\n ? null\n : yield* Fx.attempt(\n async () => jwtDecode<DecodedToken>(token),\n (decoded) => decoded,\n () => null,\n );\n const issuerDispatch =\n decodedToken?.iss !== undefined &&\n !acceptedIssuers.has(normalizeIssuer(decodedToken.iss))\n ? { kind: \"issuerMismatch\" as const }\n : { kind: \"issuerOk\" as const };\n const issuerResult = yield* Fx.match(\n issuerDispatch,\n issuerDispatch.kind,\n {\n issuerMismatch: () => {\n if (verbose) {\n console.debug(\n `${new Date().toISOString()} [convex-auth/server] Access token issuer mismatch, clearing auth cookies`,\n );\n }\n return null;\n },\n issuerOk: () => undefined,\n },\n );\n if (issuerResult !== undefined) {\n return issuerResult;\n }\n\n const tokenState =\n token === null\n ? refreshToken === null\n ? { kind: \"none\" as const }\n : { kind: \"refreshOnly\" as const, refreshToken }\n : refreshToken === null\n ? { kind: \"accessOnly\" as const, token }\n : { kind: \"both\" as const, token, refreshToken };\n\n return yield* Fx.match(tokenState, tokenState.kind, {\n none: () => {\n if (verbose) {\n console.debug(\n `${new Date().toISOString()} [convex-auth/server] No auth cookies found, skipping refresh`,\n );\n }\n return Fx.succeed(undefined);\n },\n refreshOnly: ({ refreshToken: refreshTokenValue }) => {\n if (verbose) {\n console.debug(\n `${new Date().toISOString()} [convex-auth/server] Access token cookie missing, attempting refresh-token recovery`,\n );\n }\n return Fx.from({\n ok: async () => {\n const client = new ConvexHttpClient(convexUrl);\n const result = (await client.action(signInActionRef, {\n refreshToken: refreshTokenValue,\n })) as SignInActionResult;\n const tokens = await Fx.run(\n Fx.match(result, result.kind, {\n signedIn: (signedInResult) =>\n Fx.succeed(signedInResult.tokens),\n redirect: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for token refresh\",\n ),\n ),\n started: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for token refresh\",\n ),\n ),\n passkeyOptions: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for token refresh\",\n ),\n ),\n totpRequired: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for token refresh\",\n ),\n ),\n totpSetup: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for token refresh\",\n ),\n ),\n deviceCode: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for token refresh\",\n ),\n ),\n }),\n );\n if (verbose) {\n console.debug(\n `${new Date().toISOString()} [convex-auth/server] Refreshed tokens, null=${tokens === null}`,\n );\n }\n return tokens;\n },\n err: (error) => error,\n }).pipe(\n Fx.recover((error: unknown) => {\n console.error(\n \"[convex-auth/server] refresh-token exchange failed\",\n error,\n );\n const errorCode =\n error instanceof ConvexError &&\n typeof error.data === \"object\" &&\n error.data !== null &&\n typeof (error.data as Record<string, unknown>).code ===\n \"string\"\n ? ((error.data as Record<string, unknown>).code as string)\n : null;\n if (errorCode === \"INVALID_REFRESH_TOKEN\") {\n if (verbose) {\n console.debug(\n `${new Date().toISOString()} [convex-auth/server] Refresh token rejected, clearing auth cookies`,\n );\n }\n return Fx.succeed(\n null as\n | { token: string; refreshToken: string }\n | null\n | undefined,\n );\n }\n if (verbose) {\n console.debug(\n `${new Date().toISOString()} [convex-auth/server] Token refresh failed transiently, keeping current cookies`,\n );\n }\n return Fx.succeed(\n undefined as\n | { token: string; refreshToken: string }\n | null\n | undefined,\n );\n }),\n );\n },\n accessOnly: () => {\n const accessOnlyDispatch =\n decodedToken?.exp !== undefined &&\n decodedToken.iss !== undefined &&\n acceptedIssuers.has(normalizeIssuer(decodedToken.iss)) &&\n decodedToken.exp * 1000 > Date.now()\n ? { kind: \"accessValid\" as const }\n : { kind: \"accessInvalid\" as const };\n return Fx.match(accessOnlyDispatch, accessOnlyDispatch.kind, {\n accessValid: () => {\n if (verbose) {\n console.debug(\n `${new Date().toISOString()} [convex-auth/server] Refresh token cookie missing but access token still valid`,\n );\n }\n return Fx.succeed(undefined);\n },\n accessInvalid: () => {\n if (verbose) {\n console.debug(\n `${new Date().toISOString()} [convex-auth/server] Refresh token cookie missing and access token invalid, clearing`,\n );\n }\n return Fx.succeed(null);\n },\n });\n },\n both: ({ refreshToken: refreshTokenValue }) => {\n const bothDecodeDispatch:\n | { kind: \"undecodable\" }\n | {\n kind: \"decoded\";\n decodedToken: DecodedToken & {\n exp: number;\n iat: number;\n };\n } =\n decodedToken?.exp === undefined ||\n decodedToken.iat === undefined\n ? { kind: \"undecodable\" as const }\n : {\n kind: \"decoded\" as const,\n decodedToken: decodedToken as DecodedToken & {\n exp: number;\n iat: number;\n },\n };\n return Fx.match(bothDecodeDispatch, bothDecodeDispatch.kind, {\n undecodable: () => {\n if (verbose) {\n console.debug(\n `${new Date().toISOString()} [convex-auth/server] Failed to decode access token, attempting refresh-token recovery`,\n );\n }\n return Fx.from({\n ok: async () => {\n const client = new ConvexHttpClient(convexUrl);\n const result = (await client.action(signInActionRef, {\n refreshToken: refreshTokenValue,\n })) as SignInActionResult;\n const tokens = await Fx.run(\n Fx.match(result, result.kind, {\n signedIn: (signedInResult) =>\n Fx.succeed(signedInResult.tokens),\n redirect: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for token refresh\",\n ),\n ),\n started: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for token refresh\",\n ),\n ),\n passkeyOptions: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for token refresh\",\n ),\n ),\n totpRequired: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for token refresh\",\n ),\n ),\n totpSetup: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for token refresh\",\n ),\n ),\n deviceCode: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for token refresh\",\n ),\n ),\n }),\n );\n if (verbose) {\n console.debug(\n `${new Date().toISOString()} [convex-auth/server] Refreshed tokens, null=${tokens === null}`,\n );\n }\n return tokens;\n },\n err: (error) => error,\n }).pipe(\n Fx.recover((error: unknown) => {\n console.error(\n \"[convex-auth/server] refresh-token exchange failed\",\n error,\n );\n const errorCode =\n error instanceof ConvexError &&\n typeof error.data === \"object\" &&\n error.data !== null &&\n typeof (error.data as Record<string, unknown>).code ===\n \"string\"\n ? ((error.data as Record<string, unknown>)\n .code as string)\n : null;\n if (errorCode === \"INVALID_REFRESH_TOKEN\") {\n if (verbose) {\n console.debug(\n `${new Date().toISOString()} [convex-auth/server] Refresh token rejected, clearing auth cookies`,\n );\n }\n return Fx.succeed(\n null as\n | { token: string; refreshToken: string }\n | null\n | undefined,\n );\n }\n if (verbose) {\n console.debug(\n `${new Date().toISOString()} [convex-auth/server] Token refresh failed transiently, keeping current cookies`,\n );\n }\n return Fx.succeed(\n undefined as\n | { token: string; refreshToken: string }\n | null\n | undefined,\n );\n }),\n );\n },\n decoded: ({ decodedToken: decodedAccessToken }) => {\n const totalTokenLifetimeMs =\n decodedAccessToken.exp * 1000 -\n decodedAccessToken.iat * 1000;\n const minimumExpiration =\n Date.now() +\n Math.min(\n REQUIRED_TOKEN_LIFETIME_MS,\n Math.max(\n MINIMUM_REQUIRED_TOKEN_LIFETIME_MS,\n totalTokenLifetimeMs / 10,\n ),\n );\n const expirationDispatch =\n decodedAccessToken.exp * 1000 > minimumExpiration\n ? { kind: \"skipRefresh\" as const }\n : { kind: \"refresh\" as const };\n return Fx.match(expirationDispatch, expirationDispatch.kind, {\n skipRefresh: () => {\n if (verbose) {\n console.debug(\n `${new Date().toISOString()} [convex-auth/server] Token valid long enough, skipping refresh`,\n );\n }\n return Fx.succeed(undefined);\n },\n refresh: () =>\n Fx.from({\n ok: async () => {\n const client = new ConvexHttpClient(convexUrl);\n const result = (await client.action(signInActionRef, {\n refreshToken: refreshTokenValue,\n })) as SignInActionResult;\n const tokens = await Fx.run(\n Fx.match(result, result.kind, {\n signedIn: (signedInResult) =>\n Fx.succeed(signedInResult.tokens),\n redirect: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for token refresh\",\n ),\n ),\n started: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for token refresh\",\n ),\n ),\n passkeyOptions: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for token refresh\",\n ),\n ),\n totpRequired: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for token refresh\",\n ),\n ),\n totpSetup: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for token refresh\",\n ),\n ),\n deviceCode: () =>\n Fx.fatal(\n new Error(\n \"Invalid `auth:signIn` result for token refresh\",\n ),\n ),\n }),\n );\n if (verbose) {\n console.debug(\n `${new Date().toISOString()} [convex-auth/server] Refreshed tokens, null=${tokens === null}`,\n );\n }\n return tokens;\n },\n err: (error) => error,\n }).pipe(\n Fx.recover((error: unknown) => {\n console.error(\n \"[convex-auth/server] refresh-token exchange failed\",\n error,\n );\n const errorCode =\n error instanceof ConvexError &&\n typeof error.data === \"object\" &&\n error.data !== null &&\n typeof (error.data as Record<string, unknown>)\n .code === \"string\"\n ? ((error.data as Record<string, unknown>)\n .code as string)\n : null;\n if (errorCode === \"INVALID_REFRESH_TOKEN\") {\n if (verbose) {\n console.debug(\n `${new Date().toISOString()} [convex-auth/server] Refresh token rejected, clearing auth cookies`,\n );\n }\n return Fx.succeed(\n null as\n | { token: string; refreshToken: string }\n | null\n | undefined,\n );\n }\n if (verbose) {\n console.debug(\n `${new Date().toISOString()} [convex-auth/server] Token refresh failed transiently, keeping current cookies`,\n );\n }\n return Fx.succeed(\n undefined as\n | { token: string; refreshToken: string }\n | null\n | undefined,\n );\n }),\n ),\n });\n },\n });\n },\n });\n }),\n );\n if (tokens === undefined) {\n return { redirect: false, cookies: [], token: currentToken };\n }\n\n return {\n redirect: false,\n cookies: structuredAuthCookies(\n {\n token: tokens?.token ?? null,\n refreshToken: tokens?.refreshToken ?? null,\n verifier: null,\n },\n host,\n cookieConfig,\n cookieNamespace,\n ),\n token: tokens?.token ?? null,\n };\n },\n };\n}\n"],"mappings":";;;;;;;;;AAcA,MAAM,kBAAgC,sBAAsB,cAAc;AAC1E,MAAM,mBAAkC,sBAAsB,eAAe;AAkG7E,MAAM,yBAAyB;AAC/B,MAAM,2BAA2B;AACjC,MAAM,4BAA4B;AAClC,MAAM,oCAAoC;;;;;;;;;;;AAY1C,SAAgB,gBACd,MACA,iBACA;CACA,MAAM,SAAS,YAAY,KAAK,GAAG,KAAK;CACxC,MAAM,YAAY,yBAAyB,gBAAgB;CAC3D,MAAM,SAAS,cAAc,OAAO,KAAK,IAAI;AAC7C,QAAO;EACL,OAAO,GAAG,SAAS,yBAAyB;EAC5C,cAAc,GAAG,SAAS,2BAA2B;EACrD,UAAU,GAAG,SAAS,4BAA4B;EACnD;;;;;;;;;;AAWH,SAAgB,iBACd,cACA,MACA,iBACa;CACb,MAAM,QAAQ,gBAAgB,MAAM,gBAAgB;CACpD,MAAM,SAAS,MAAM,gBAAgB,GAAG;AACxC,QAAO;EACL,OAAO,OAAO,MAAM,UAAU;EAC9B,cAAc,OAAO,MAAM,iBAAiB;EAC5C,UAAU,OAAO,MAAM,aAAa;EACrC;;;;;;;;;;;;;AAcH,SAAgB,qBACd,SACA,MACA,SAA2B,EAAE,QAAQ,MAAM,EAC3C,iBACA;CACA,MAAM,QAAQ,gBAAgB,MAAM,gBAAgB;CAEpD,MAAM,OAAO;EACX,MAAM;EACN,UAAU;EACV,UAAU;EACV,QALa,CAAC,YAAY,KAAK;EAMhC;CACD,MAAM,SAAS,OAAO,UAAU;AAkBhC,QAjBmB;EACjB,UAAU,MAAM,OAAO,QAAQ,SAAS,IAAI;GAC1C,GAAG;GACH,QAAQ,QAAQ,UAAU,OAAO,IAAI;GACrC,SAAS,QAAQ,UAAU,uBAAO,IAAI,KAAK,EAAE,GAAG;GACjD,CAAC;EACF,UAAU,MAAM,cAAc,QAAQ,gBAAgB,IAAI;GACxD,GAAG;GACH,QAAQ,QAAQ,iBAAiB,OAAO,IAAI;GAC5C,SAAS,QAAQ,iBAAiB,uBAAO,IAAI,KAAK,EAAE,GAAG;GACxD,CAAC;EACF,UAAU,MAAM,UAAU,QAAQ,YAAY,IAAI;GAChD,GAAG;GACH,QAAQ,QAAQ,aAAa,OAAO,IAAI;GACxC,SAAS,QAAQ,aAAa,uBAAO,IAAI,KAAK,EAAE,GAAG;GACpD,CAAC;EACH;;;;;;;;;;;;;;AAgBH,SAAgB,sBACd,SACA,MACA,SAA2B,EAAE,QAAQ,MAAM,EAC3C,iBACc;CACd,MAAM,QAAQ,gBAAgB,MAAM,gBAAgB;CAEpD,MAAM,OAAO;EACX,MAAM;EACN,UAAU;EACV,QAJa,CAAC,YAAY,KAAK;EAK/B,UAAU;EACX;CACD,MAAM,SAAS,OAAO,UAAU;AA+BhC,QA9BiC;EAC/B;GACE,MAAM,MAAM;GACZ,OAAO,QAAQ,SAAS;GACxB,SAAS;IACP,GAAG;IACH,QAAQ,QAAQ,UAAU,OAAO,IAAI;IACrC,SAAS,QAAQ,UAAU,uBAAO,IAAI,KAAK,EAAE,GAAG;IACjD;GACF;EACD;GACE,MAAM,MAAM;GACZ,OAAO,QAAQ,gBAAgB;GAC/B,SAAS;IACP,GAAG;IACH,QAAQ,QAAQ,iBAAiB,OAAO,IAAI;IAC5C,SAAS,QAAQ,iBAAiB,uBAAO,IAAI,KAAK,EAAE,GAAG;IACxD;GACF;EACD;GACE,MAAM,MAAM;GACZ,OAAO,QAAQ,YAAY;GAC3B,SAAS;IACP,GAAG;IACH,QAAQ,QAAQ,aAAa,OAAO,IAAI;IACxC,SAAS,QAAQ,aAAa,uBAAO,IAAI,KAAK,EAAE,GAAG;IACpD;GACF;EACF;;;;;;;;;;;;;;AAiBH,SAAgB,sBAAsB,UAAkB,UAAkB;AACxE,KAAI,SAAS,SAAS,IAAI,CACxB,QAAO,aAAa,YAAY,aAAa,SAAS,MAAM,GAAG,GAAG;AAEpE,QAAO,aAAa,YAAY,aAAa,GAAG,SAAS;;AAG3D,MAAM,6BAA6B;AACnC,MAAM,qCAAqC;AAI3C,SAAS,yBAAyB,iBAAiC;AACjE,KAAI,oBAAoB,UAAa,oBAAoB,KACvD,QAAO;CAET,MAAM,aAAa,gBAChB,MAAM,CACN,QAAQ,kBAAkB,IAAI,CAC9B,QAAQ,YAAY,GAAG,CACvB,aAAa;AAChB,QAAO,WAAW,SAAS,IAAI,aAAa;;;;;AAM9C,SAAS,YAAY,OAAwB;AAC3C,KAAI;AACF,MAAI,IAAI,MAAM;AACd,SAAO;SACD;AACN,SAAO;;;AAIX,SAAS,oBAAoB,QAA4B;CACvD,MAAM,QAAQ,CACZ,GAAG,OAAO,KAAK,GAAG,OAAO,SACzB,QAAQ,OAAO,QAAQ,OACxB;AACD,KAAI,OAAO,QAAQ,SAAU,OAAM,KAAK,WAAW;AACnD,KAAI,OAAO,QAAQ,OAAQ,OAAM,KAAK,SAAS;AAC/C,KAAI,OAAO,QAAQ,SACjB,OAAM,KAAK,YAAY,OAAO,QAAQ,WAAW;AACnD,KAAI,OAAO,QAAQ,WAAW,OAC5B,OAAM,KAAK,WAAW,OAAO,QAAQ,SAAS;AAChD,KAAI,OAAO,QAAQ,QACjB,OAAM,KAAK,WAAW,OAAO,QAAQ,QAAQ,aAAa,GAAG;AAC/D,QAAO,MAAM,KAAK,KAAK;;AAGzB,SAAS,sBACP,UACA,SACU;CACV,MAAM,UAAU,IAAI,QAAQ,EAAE,UAAU,UAAU,CAAC;AACnD,MAAK,MAAM,UAAU,QACnB,SAAQ,OAAO,cAAc,oBAAoB,OAAO,CAAC;AAE3D,QAAO,IAAI,SAAS,MAAM;EAAE,QAAQ;EAAK;EAAS,CAAC;;AAGrD,SAAS,6BAA6B,KAAa;AACjD,KAAI,CAAC,YAAY,IAAI,CAAE,QAAO;CAC9B,MAAM,SAAS,IAAI,IAAI,IAAI;AAE3B,QAAO,yBADK,GAAG,OAAO,WAAW,OAAO,WACJ,IAAI;;AAG1C,SAAS,gBAAgB,OAAe;AACtC,KAAI,CAAC,YAAY,MAAM,CAAE,QAAO,MAAM,QAAQ,QAAQ,GAAG;CACzD,MAAM,SAAS,IAAI,IAAI,MAAM;CAC7B,MAAM,WACJ,OAAO,aAAa,MAAM,KAAK,OAAO,SAAS,QAAQ,QAAQ,GAAG;AACpE,QAAO,GAAG,OAAO,SAAS,IAAI,OAAO,OAAO;;AAG9C,SAAS,6BAA6B,OAAe;AACnD,KAAI,CAAC,YAAY,MAAM,CAAE,QAAO;CAChC,MAAM,SAAS,IAAI,IAAI,MAAM;AAC7B,KAAI,CAAC,OAAO,SAAS,SAAS,gBAAgB,CAC5C,QAAO;AAET,QAAO,WACL,OAAO,SAAS,MAAM,GAAG,IAAwB,GAAG;AACtD,QAAO,gBAAgB,OAAO,UAAU,CAAC;;AAG3C,SAAS,6BAA6B,OAAe;CACnD,MAAM,UAAU,CAAC,gBAAgB,MAAM,CAAC;CACxC,MAAM,aAAa,6BAA6B,MAAM;AACtD,KAAI,eAAe,KACjB,SAAQ,KAAK,WAAW;AAE1B,QAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA2CT,SAAgB,OAAO,SAAwB;CAC7C,MAAM,YAAY,QAAQ;CAC1B,MAAM,WAAW,QAAQ,YAAY;CACrC,MAAM,eAAe,EAAE,QAAQ,QAAQ,gBAAgB,MAAM;CAC7D,MAAM,UAAU,QAAQ,WAAW;CACnC,MAAM,kBACJ,yBAAyB,QAAQ,gBAAgB,IACjD,6BAA6B,UAAU;CACzC,MAAM,kBAAkB,IAAI,KACzB,QAAQ,mBAAmB,6BAA6B,UAAU,EAChE,IAAI,gBAAgB,CACpB,QAAQ,WAAW,OAAO,SAAS,EAAE,CACzC;AAED,QAAO;EAOL,MAAM,SAAiC;AACrC,UAAO,iBACL,QAAQ,QAAQ,IAAI,SAAS,EAC7B,QAAQ,QAAQ,IAAI,OAAO,IAAI,IAAI,IAAI,QAAQ,IAAI,CAAC,MACpD,gBACD,CAAC;;EAYJ,MAAM,OAAO,SAAoC;GAC/C,MAAM,QAAQ,iBACZ,QAAQ,QAAQ,IAAI,SAAS,EAC7B,QAAQ,QAAQ,IAAI,OAAO,IAAI,IAAI,IAAI,QAAQ,IAAI,CAAC,MACpD,gBACD,CAAC;AACF,OAAI,UAAU,KACZ,QAAO;GAET,MAAM,eAAe,MAAM,GAAG,IAC5B,GAAG,QACD,YAAY,UAAwB,MAAM,GACzC,YAAY,eACP,KACP,CACF;AACD,OAAI,cAAc,QAAQ,UAAa,aAAa,QAAQ,OAC1D,QAAO;AAET,OAAI,CAAC,gBAAgB,IAAI,gBAAgB,aAAa,IAAI,CAAC,CACzD,QAAO;AAET,UAAO,aAAa,MAAM,MAAO,KAAK,KAAK;;EAc7C,MAAM,MAAM,SAAqC;GAE/C,MAAM,kBAAkB,CAAC,sBADN,IAAI,IAAI,QAAQ,IAAI,CAE1B,UACX,SACD,GACG,EAAE,MAAM,gBAAyB,GACjC,QAAQ,WAAW,SACjB,EAAE,MAAM,iBAA0B,UAC3B;IACH,MAAM,eAAe,QAAQ,QAAQ,IAAI,SAAS;AAClD,QAAI,iBAAiB,KACnB,QAAO;IAET,MAAM,uBACJ,QAAQ,QAAQ,IAAI,oBAAoB;IAC1C,MAAM,WACJ,yBAAyB,cACd;KACL,MAAM,iBAAiB,qBACpB,MAAM,IAAI,CAAC,IACV,MAAM;AACV,SACE,mBAAmB,UACnB,eAAe,SAAS,EAExB,QAAO,eAAe,SAAS,IAAI,GAC/B,iBACA,GAAG,eAAe;AAExB,YAAO,IAAI,IAAI,QAAQ,IAAI,CAAC;QAC1B,GACJ,IAAI,IAAI,QAAQ,IAAI,CAAC;IAC3B,MAAM,cACJ,QAAQ,QAAQ,IAAI,OAAO,IAAI,IAAI,IAAI,QAAQ,IAAI,CAAC;IACtD,MAAM,gBAAgB,GAAG,SAAS,IAAI;IACtC,MAAMA,SAAO,YAAY,cAAc,GACnC,IAAI,IAAI,cAAc,CAAC,OACvB;AACJ,QAAI,CAAC,YAAY,aAAa,CAC5B,QAAO;IAET,MAAM,YAAY,IAAI,IAAI,aAAa;AACvC,WACE,UAAU,SAASA,UAAQ,UAAU,aAAa;OAElD,GACJ,EAAE,MAAM,iBAA0B,GAClC,EAAE,MAAM,SAAkB;GAElC,MAAM,0BAA0B,MAAM,GAAG,IACvC,GAAG,MAAM,iBAAiB,gBAAgB,MAAM;IAC9C,oBAAoB,IAAI,SAAS,iBAAiB,EAAE,QAAQ,KAAK,CAAC;IAClE,qBAAqB,IAAI,SAAS,kBAAkB,EAAE,QAAQ,KAAK,CAAC;IACpE,qBAAqB,IAAI,SAAS,kBAAkB,EAAE,QAAQ,KAAK,CAAC;IACpE,aAAa;IACd,CAAC,CACH;AACD,OAAI,4BAA4B,KAC9B,QAAO;GAGT,MAAM,OAAO,MAAM,GAAG,IACpB,GAAG,QACD,YAAY;IACV,MAAM,SAAS,MAAM,QAAQ,MAAM;AACnC,QAAI,OAAO,WAAW,YAAY,WAAW,KAC3C,QAAO;AAET,WAAO;OAER,WAAW,cACN,KACP,CACF;AACD,OAAI,SAAS,KACX,QAAO,IAAI,SAAS,wBAAwB,EAAE,QAAQ,KAAK,CAAC;GAG9D,MAAM,SAAS,KAAK;GACpB,MAAM,OACJ,OAAO,KAAK,SAAS,YAAY,KAAK,SAAS,OAC1C,KAAK,OACN,EAAE;GAER,MAAM,iBACJ,WAAW,gBACP,EAAE,QAAQ,gBAAyB,GACnC,WAAW,iBACT,EAAE,QAAQ,eAAwB,GAClC;AAER,OAAI,mBAAmB,KACrB,QAAO,IAAI,SAAS,kBAAkB,EAAE,QAAQ,KAAK,CAAC;GAGxD,MAAM,OAAO,QAAQ,QAAQ,IAAI,OAAO,IAAI,IAAI,IAAI,QAAQ,IAAI,CAAC;GACjE,MAAM,iBAAiB,iBACrB,QAAQ,QAAQ,IAAI,SAAS,EAC7B,MACA,gBACD;AAED,UAAO,GAAG,IACR,GAAG,MAAM,gBAAgB,eAAe,QAAQ;IAC9C,eAAe,MACb,GAAG,QAAQ,YAAY;KACrB,MAAM,kBACJ,KAAK,iBAAiB,SAClB,EAAE,MAAM,eAAwB,GAChC,eAAe,iBAAiB,OAC9B,EAAE,MAAM,iCAA0C,GAClD;MACE,MAAM;MACN,cAAc,eAAe;MAC9B;KAET,MAAM,kBAAkB,MAAM,GAAG,IAC/B,GAAG,MAAM,iBAAiB,gBAAgB,MAAM;MAC9C,aAAa,YAAY;MACzB,0BAA0B,OAAO,EAAE,mBAAmB;AACpD,YAAK,eAAe;AACpB,cAAO;;MAET,+BAA+B,YAAY;OACzC,MAAM,eAAe,eAAe;OACpC,MAAM,eACJ,iBAAiB,OACb,OACA,MAAM,GAAG,IACP,GAAG,QACD,YAAY,UAAwB,aAAa,GAChD,YAAY,eACP,KACP,CACF;OACP,MAAM,gBACJ,iBAAiB,QACjB,cAAc,QAAQ,UACtB,aAAa,QAAQ,UACrB,gBAAgB,IAAI,gBAAgB,aAAa,IAAI,CAAC,IACtD,aAAa,MAAM,MAAO,KAAK,KAAK,GAChC;QACE,MAAM;QACN,OAAO;QACR,GACD,EAAE,MAAM,gBAAyB;AACvC,cAAO,MAAM,GAAG,IACd,GAAG,MAAM,eAAe,cAAc,MAAM;QAC1C,aAAa,EAAE,YACb,IAAI,SACF,KAAK,UAAU,EACb,QAAQ;SACN;SACA,cAAc;SACf,EACF,CAAC,EACF;SACE,QAAQ;SACR,SAAS,EACP,gBAAgB,oBACjB;SACF,CACF;QACH,oBACE,IAAI,SAAS,KAAK,UAAU,EAAE,QAAQ,MAAM,CAAC,EAAE;SAC7C,QAAQ;SACR,SAAS,EACP,gBAAgB,oBACjB;SACF,CAAC;QACL,CAAC,CACH;;MAEJ,CAAC,CACH;KACD,MAAM,kBACJ,oBAAoB,OAChB;MACE,MAAM;MACN,UAAU;MACX,GACD,EAAE,MAAM,YAAqB;KACnC,MAAM,4BAA4B,MAAM,GAAG,IACzC,GAAG,MAAM,iBAAiB,gBAAgB,MAAM;MAC9C,eAAe,EAAE,eAAe;MAChC,gBAAgB;MACjB,CAAC,CACH;AACD,SAAI,8BAA8B,KAChC,QAAO;KAGT,MAAM,SAAS,IAAI,iBAAiB,UAAU;KAC9C,MAAM,eACJ,KAAK,iBAAiB,UACtB,KAAK,QAAQ,SAAS,UACtB,eAAe,UAAU,OACrB;MACE,MAAM;MACN,OAAO,eAAe;MACvB,GACD,EAAE,MAAM,YAAqB;AACnC,WAAM,GAAG,IACP,GAAG,MAAM,cAAc,aAAa,MAAM;MACxC,aAAa,EAAE,YAAY;AACzB,cAAO,QAAQ,MAAM;;MAEvB,gBAAgB;MACjB,CAAC,CACH;AACD,YAAO,GAAG,IACR,GAAG,KAAK;MACN,UAAU,OAAO,OAAO,iBAAiB,KAAK;MAC9C,MAAM,UAAU;MACjB,CAAC,CAAC,KACD,GAAG,KAAK;MACN,KAAK,WACH,GAAG,IACD,GAAG,MAAM,QAAQ,OAAO,MAAM;OAC5B,WAAW,mBAAmB;QAC5B,MAAM,WAAW,IAAI,SACnB,KAAK,UAAU;SACb,MAAM;SACN,UAAU,eAAe;SACzB,UAAU,eAAe;SAC1B,CAAC,EACF;SACE,QAAQ;SACR,SAAS,EACP,gBAAgB,oBACjB;SACF,CACF;AACD,aAAK,MAAM,SAAS,qBAClB;SACE,GAAG;SACH,UAAU,eAAe;SAC1B,EACD,MACA,cACA,gBACD,CACC,UAAS,QAAQ,OAAO,cAAc,MAAM;AAE9C,eAAO,GAAG,QAAQ,SAAS;;OAE7B,WAAW,mBAAmB;QAC5B,MAAM,WAAW,IAAI,SACnB,KAAK,UAAU;SACb,MAAM;SACN,QACE,eAAe,WAAW,OACtB,OACA;UACE,OAAO,eAAe,OAAO;UAC7B,cAAc;UACf;SACR,CAAC,EACF;SACE,QAAQ;SACR,SAAS,EACP,gBAAgB,oBACjB;SACF,CACF;AACD,aAAK,MAAM,SAAS,qBAClB;SACE,OAAO,eAAe,QAAQ,SAAS;SACvC,cACE,eAAe,QAAQ,gBAAgB;SACzC,UAAU;SACX,EACD,MACA,cACA,gBACD,CACC,UAAS,QAAQ,OAAO,cAAc,MAAM;AAE9C,eAAO,GAAG,QAAQ,SAAS;;OAE7B,UAAU,kBACR,GAAG,QACD,IAAI,SAAS,KAAK,UAAU,cAAc,EAAE;QAC1C,QAAQ;QACR,SAAS,EACP,gBAAgB,oBACjB;QACF,CAAC,CACH;OACH,iBAAiB,yBACf,GAAG,QACD,IAAI,SACF,KAAK,UAAU,qBAAqB,EACpC;QACE,QAAQ;QACR,SAAS,EACP,gBAAgB,oBACjB;QACF,CACF,CACF;OACH,eAAe,uBACb,GAAG,QACD,IAAI,SAAS,KAAK,UAAU,mBAAmB,EAAE;QAC/C,QAAQ;QACR,SAAS,EACP,gBAAgB,oBACjB;QACF,CAAC,CACH;OACH,YAAY,oBACV,GAAG,QACD,IAAI,SAAS,KAAK,UAAU,gBAAgB,EAAE;QAC5C,QAAQ;QACR,SAAS,EACP,gBAAgB,oBACjB;QACF,CAAC,CACH;OACH,aAAa,qBACX,GAAG,QACD,IAAI,SAAS,KAAK,UAAU,iBAAiB,EAAE;QAC7C,QAAQ;QACR,SAAS,EACP,gBAAgB,oBACjB;QACF,CAAC,CACH;OACJ,CAAC,CACH;MACH,MAAM,UAAmB;OACvB,MAAM,YACJ,iBAAiB,eACjB,OAAO,MAAM,SAAS,YACtB,MAAM,SAAS,QACf,UAAU,MAAM,OACZ;QACE,OACG,MAAM,KAA8B,WACrC,OAAO,MAAM;QACf,WAAW,MAAM;QAClB,GACD,EACE,OACE,iBAAiB,QACb,MAAM,UACN,OAAO,MAAM,EACpB;OACP,MAAM,WAAW,IAAI,SAAS,KAAK,UAAU,UAAU,EAAE;QACvD,QAAQ;QACR,SAAS,EACP,gBAAgB,oBACjB;QACF,CAAC;OACF,MAAM,eACJ,KAAK,iBAAiB,UACtB,iBAAiB,eACjB,OAAO,MAAM,SAAS,YACtB,MAAM,SAAS,QACd,MAAM,KAAiC,SACtC;AACJ,YAAK,MAAM,SAAS,qBAClB;QACE,OAAO,eAAe,OAAO,eAAe;QAC5C,cAAc,eACV,OACA,eAAe;QACnB,UAAU;QACX,EACD,MACA,cACA,gBACD,CACC,UAAS,QAAQ,OAAO,cAAc,MAAM;AAE9C,cAAO;;MAEV,CAAC,CACH,CACF;MACD;IACJ,cAAc,MACZ,GAAG,QAAQ,YAAY;AACrB,WAAM,GAAG,IACP,GAAG,KAAK;MACN,iBACS;OACL,MAAM,SAAS,IAAI,iBAAiB,UAAU;AAC9C,WAAI,eAAe,UAAU,KAC3B,QAAO,QAAQ,eAAe,MAAM;AAEtC,cAAO,OAAO,OAAO,iBAAiB;UACpC;MACN,MAAM,UAAU;MACjB,CAAC,CAAC,KACD,GAAG,SAAS,UAAmB;AAC7B,cAAQ,MACN,8CACA,MACD;MACD,MAAM,mBACJ,eAAe,iBAAiB,OAC5B;OACE,MAAM;OACN,cAAc,eAAe;OAC9B,GACD,EAAE,MAAM,gBAAyB;AACvC,aAAO,GAAG,MAAM,kBAAkB,iBAAiB,MAAM;OACvD,kBAAkB,EAAE,mBAClB,GAAG,KAAK;QACN,IAAI,YAAY;SAId,MAAM,YAAa,MAHG,IAAI,iBACxB,UACD,CACsC,OACrC,iBACA,EACE,cACD,CACF;SACD,MAAM,kBAAkB,MAAM,GAAG,IAC/B,GAAG,MAAM,WAAW,UAAU,MAAM;UAClC,WAAW,mBACT,GAAG,QAAQ,eAAe,OAAO;UACnC,gBACE,GAAG,sBACD,IAAI,MACF,6DACD,CACF;UACH,eACE,GAAG,sBACD,IAAI,MACF,6DACD,CACF;UACH,sBACE,GAAG,sBACD,IAAI,MACF,6DACD,CACF;UACH,oBACE,GAAG,sBACD,IAAI,MACF,6DACD,CACF;UACH,iBACE,GAAG,sBACD,IAAI,MACF,6DACD,CACF;UACH,kBACE,GAAG,sBACD,IAAI,MACF,6DACD,CACF;UACJ,CAAC,CACH;SACD,MAAM,0BACJ,oBAAoB,OAChB;UACE,MAAM;UACN,OAAO,gBAAgB;UACxB,GACD,EAAE,MAAM,wBAAiC;AAC/C,eAAM,GAAG,IACP,GAAG,MACD,yBACA,wBAAwB,MACxB;UACE,uBAAuB,EAAE,YACvB,GAAG,QAAQ,YAAY;WACrB,MAAM,SAAS,IAAI,iBACjB,UACD;AACD,kBAAO,QAAQ,MAAM;AACrB,iBAAM,OAAO,OAAO,iBAAiB;YACrC;UACJ,4BACE,GAAG,QAAQ,OAAU;UACxB,CACF,CACF;;QAEH,MAAM,YAAUC;QACjB,CAAC,CAAC,KACD,GAAG,SAAS,kBAA2B;AACrC,gBAAQ,MACN,uDACA,cACD;AACD,eAAO,GAAG,QAAQ,OAAU;SAC5B,CACH;OACH,oBAAoB,GAAG,QAAQ,OAAU;OAC1C,CAAC;OACF,EACF,GAAG,UAAU,OAAU,CACxB,CACF;KACD,MAAM,WAAW,IAAI,SAAS,KAAK,UAAU,KAAK,EAAE;MAClD,QAAQ;MACR,SAAS,EACP,gBAAgB,oBACjB;MACF,CAAC;AACF,UAAK,MAAM,SAAS,qBAClB;MACE,OAAO;MACP,cAAc;MACd,UAAU;MACX,EACD,MACA,cACA,gBACD,CACC,UAAS,QAAQ,OAAO,cAAc,MAAM;AAE9C,YAAO;MACP;IACL,CAAC,CACH;;EAgBH,MAAM,QAAQ,SAA0C;GACtD,MAAM,OAAO,QAAQ,QAAQ,IAAI,OAAO,IAAI,IAAI,IAAI,QAAQ,IAAI,CAAC;GACjE,MAAM,iBAAiB,iBACrB,QAAQ,QAAQ,IAAI,SAAS,EAC7B,MACA,gBACD;GACD,MAAM,eAAe,eAAe;GAGpC,MAAM,eAAe,QAAQ,QAAQ,IAAI,SAAS;GAClD,MAAM,uBAAuB,QAAQ,QAAQ,IAAI,oBAAoB;GACrE,MAAM,WACJ,yBAAyB,cACd;IACL,MAAM,iBAAiB,qBAAqB,MAAM,IAAI,CAAC,IAAI,MAAM;AACjE,QAAI,mBAAmB,UAAa,eAAe,SAAS,EAC1D,QAAO,eAAe,SAAS,IAAI,GAC/B,iBACA,GAAG,eAAe;AAExB,WAAO,IAAI,IAAI,QAAQ,IAAI,CAAC;OAC1B,GACJ,IAAI,IAAI,QAAQ,IAAI,CAAC;GAC3B,MAAM,cACJ,QAAQ,QAAQ,IAAI,OAAO,IAAI,IAAI,IAAI,QAAQ,IAAI,CAAC;GACtD,MAAM,gBAAgB,GAAG,SAAS,IAAI;GACtC,MAAM,iBAAiB,YAAY,cAAc,GAC7C,IAAI,IAAI,cAAc,CAAC,OACvB;GACJ,MAAM,YACJ,iBAAiB,QAAQ,YAAY,aAAa,GAC9C,IAAI,IAAI,aAAa,GACrB;GAMN,MAAM,eAJJ,iBAAiB,SAChB,cAAc,QACb,UAAU,SAAS,kBACnB,UAAU,aAAa,YAEvB,EAAE,MAAM,eAAwB,GAChC,EAAE,MAAM,cAAuB;GACnC,MAAM,oBAAoB,MAAM,GAAG,IACjC,GAAG,MAAM,cAAc,aAAa,MAAM;IACxC,oBACG;KACC,UAAU;KACV,SAAS,EAAE;KACX,OAAO;KACR;IACH,kBAAkB;IACnB,CAAC,CACH;AACD,OAAI,sBAAsB,KACxB,QAAO;GAIT,MAAM,aAAa,IAAI,IAAI,QAAQ,IAAI;GACvC,MAAM,OAAO,WAAW,aAAa,IAAI,OAAO;GAChD,MAAM,mBACJ,QAAQ,qBAAqB,SACzB,OACA,OAAO,QAAQ,qBAAqB,aAClC,MAAM,QAAQ,iBAAiB,QAAQ,GACvC,QAAQ;GAEhB,MAAM,uBACJ,SAAS,QACT,QAAQ,WAAW,SACnB,QAAQ,QAAQ,IAAI,SAAS,EAAE,SAAS,YAAY,IACpD,mBACI;IAAE,MAAM;IAAqB;IAAM,GACnC,EAAE,MAAM,QAAiB;GAC/B,MAAM,qBAAqB,MAAM,GAAG,IAClC,GAAG,MAAM,sBAAsB,qBAAqB,MAAM;IACxD,UAAU,OAAO,EACf,MAAM,uBACsB;KAC5B,MAAM,cAAc,IAAI,IAAI,WAAW,UAAU,CAAC;AAClD,YAAO,GAAG,IACR,GAAG,KAAK;MACN,IAAI,YAAY;OAEd,MAAM,SAAU,MADD,IAAI,iBAAiB,UAAU,CACjB,OAAO,iBAAiB;QACnD,QAAQ,EAAE,MAAM,kBAAkB;QAClC,UAAU,eAAe,YAAY;QACtC,CAAC;AA2CF,cAAO;QAAE,MAAM;QAAqB,QA1CrB,MAAM,GAAG,IACtB,GAAG,MAAM,QAAQ,OAAO,MAAM;SAC5B,WAAW,mBACT,GAAG,QAAQ,eAAe,OAAO;SACnC,gBACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;SACH,eACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;SACH,sBACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;SACH,oBACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;SACH,iBACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;SACH,kBACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;SACJ,CAAC,CACH;QAC2C;;MAE9C,MAAM,UAAU;MACjB,CAAC,CAAC,KACD,GAAG,KAAK;MACN,KAAK,WAA0B;AAC7B,mBAAY,aAAa,OAAO,OAAO;OACvC,MAAM,UAAU,sBACd;QACE,OAAO,OAAO,QAAQ,SAAS;QAC/B,cAAc,OAAO,QAAQ,gBAAgB;QAC7C,UAAU;QACX,EACD,MACA,cACA,gBACD;AACD,cAAO;QACL,UAAU;QACV,UAAU,sBACR,YAAY,UAAU,EACtB,QACD;QACF;;MAEH,MAAM,UAAkC;AACtC,eAAQ,MACN,6CACA,MACD;OACD,MAAM,YACJ,iBAAiB,eACjB,OAAO,MAAM,SAAS,YACtB,MAAM,SAAS,QACf,OAAQ,MAAM,KAAiC,SAC7C,WACI,MAAM,KACL,OACH;AASN,WAAI,EAPF,cAAc,yBACd,cAAc,0BACd,cAAc,4BACd,cAAc,2BACd,cAAc,4BACd,cAAc,sBACd,cAAc,6BAEd,QAAO;QACL,UAAU;QACV,SAAS,EAAE;QACX,OAAO,eAAe;QACvB;AAEH,mBAAY,aAAa,OAAO,OAAO;OACvC,MAAM,UAAU,sBACd;QACE,OAAO,eAAe;QACtB,cAAc,eAAe;QAC7B,UAAU;QACX,EACD,MACA,cACA,gBACD;AACD,cAAO;QACL,UAAU;QACV,UAAU,sBACR,YAAY,UAAU,EACtB,QACD;QACF;;MAEJ,CAAC,CACH,CACF;;IAEH,MAAM,YAAY;IACnB,CAAC,CACH;GACD,MAAM,uBACJ,uBAAuB,OACnB;IAAE,MAAM;IAAiB,QAAQ;IAAoB,GACrD,EAAE,MAAM,YAAqB;GACnC,MAAM,0BAA0B,MAAM,GAAG,IACvC,GAAG,MAAM,sBAAsB,qBAAqB,MAAM;IACxD,OAAO,EAAE,aAAa;IACtB,gBAAgB;IACjB,CAAC,CACH;AACD,OAAI,4BAA4B,KAC9B,QAAO;GAIT,MAAM,SAAS,MAAM,GAAG,IACtB,GAAG,IAAI,aAAa;IAClB,MAAM,EAAE,OAAO,iBAAiB;IAKhC,MAAM,gCAFJ,iBAAiB,SAChB,aAAa,MAAM,CAAC,WAAW,KAAK,iBAAiB,WAEpD,EAAE,MAAM,aAAsB,GAC9B,EAAE,MAAM,MAAe;IAC3B,MAAM,8BAA8B,OAAO,GAAG,MAC5C,+BACA,8BAA8B,MAC9B;KACE,iBAAiB;AACf,UAAI,QACF,SAAQ,MACN,oBAAG,IAAI,MAAM,EAAC,aAAa,CAAC,6EAC7B;AAEH,aAAO;;KAET,UAAU;KACX,CACF;AACD,QAAI,gCAAgC,OAClC,QAAO;IAGT,MAAM,eACJ,UAAU,OACN,OACA,OAAO,GAAG,QACR,YAAY,UAAwB,MAAM,GACzC,YAAY,eACP,KACP;IACP,MAAM,iBACJ,cAAc,QAAQ,UACtB,CAAC,gBAAgB,IAAI,gBAAgB,aAAa,IAAI,CAAC,GACnD,EAAE,MAAM,kBAA2B,GACnC,EAAE,MAAM,YAAqB;IACnC,MAAM,eAAe,OAAO,GAAG,MAC7B,gBACA,eAAe,MACf;KACE,sBAAsB;AACpB,UAAI,QACF,SAAQ,MACN,oBAAG,IAAI,MAAM,EAAC,aAAa,CAAC,2EAC7B;AAEH,aAAO;;KAET,gBAAgB;KACjB,CACF;AACD,QAAI,iBAAiB,OACnB,QAAO;IAGT,MAAM,aACJ,UAAU,OACN,iBAAiB,OACf,EAAE,MAAM,QAAiB,GACzB;KAAE,MAAM;KAAwB;KAAc,GAChD,iBAAiB,OACf;KAAE,MAAM;KAAuB;KAAO,GACtC;KAAE,MAAM;KAAiB;KAAO;KAAc;AAEtD,WAAO,OAAO,GAAG,MAAM,YAAY,WAAW,MAAM;KAClD,YAAY;AACV,UAAI,QACF,SAAQ,MACN,oBAAG,IAAI,MAAM,EAAC,aAAa,CAAC,+DAC7B;AAEH,aAAO,GAAG,QAAQ,OAAU;;KAE9B,cAAc,EAAE,cAAc,wBAAwB;AACpD,UAAI,QACF,SAAQ,MACN,oBAAG,IAAI,MAAM,EAAC,aAAa,CAAC,sFAC7B;AAEH,aAAO,GAAG,KAAK;OACb,IAAI,YAAY;QAEd,MAAM,SAAU,MADD,IAAI,iBAAiB,UAAU,CACjB,OAAO,iBAAiB,EACnD,cAAc,mBACf,CAAC;QACF,MAAMC,WAAS,MAAM,GAAG,IACtB,GAAG,MAAM,QAAQ,OAAO,MAAM;SAC5B,WAAW,mBACT,GAAG,QAAQ,eAAe,OAAO;SACnC,gBACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;SACH,eACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;SACH,sBACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;SACH,oBACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;SACH,iBACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;SACH,kBACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;SACJ,CAAC,CACH;AACD,YAAI,QACF,SAAQ,MACN,oBAAG,IAAI,MAAM,EAAC,aAAa,CAAC,+CAA+CA,aAAW,OACvF;AAEH,eAAOA;;OAET,MAAM,UAAU;OACjB,CAAC,CAAC,KACD,GAAG,SAAS,UAAmB;AAC7B,eAAQ,MACN,sDACA,MACD;AASD,YAPE,iBAAiB,eACjB,OAAO,MAAM,SAAS,YACtB,MAAM,SAAS,QACf,OAAQ,MAAM,KAAiC,SAC7C,WACI,MAAM,KAAiC,OACzC,UACY,yBAAyB;AACzC,YAAI,QACF,SAAQ,MACN,oBAAG,IAAI,MAAM,EAAC,aAAa,CAAC,qEAC7B;AAEH,eAAO,GAAG,QACR,KAID;;AAEH,WAAI,QACF,SAAQ,MACN,oBAAG,IAAI,MAAM,EAAC,aAAa,CAAC,iFAC7B;AAEH,cAAO,GAAG,QACR,OAID;QACD,CACH;;KAEH,kBAAkB;MAChB,MAAM,qBACJ,cAAc,QAAQ,UACtB,aAAa,QAAQ,UACrB,gBAAgB,IAAI,gBAAgB,aAAa,IAAI,CAAC,IACtD,aAAa,MAAM,MAAO,KAAK,KAAK,GAChC,EAAE,MAAM,eAAwB,GAChC,EAAE,MAAM,iBAA0B;AACxC,aAAO,GAAG,MAAM,oBAAoB,mBAAmB,MAAM;OAC3D,mBAAmB;AACjB,YAAI,QACF,SAAQ,MACN,oBAAG,IAAI,MAAM,EAAC,aAAa,CAAC,iFAC7B;AAEH,eAAO,GAAG,QAAQ,OAAU;;OAE9B,qBAAqB;AACnB,YAAI,QACF,SAAQ,MACN,oBAAG,IAAI,MAAM,EAAC,aAAa,CAAC,uFAC7B;AAEH,eAAO,GAAG,QAAQ,KAAK;;OAE1B,CAAC;;KAEJ,OAAO,EAAE,cAAc,wBAAwB;MAC7C,MAAM,qBASJ,cAAc,QAAQ,UACtB,aAAa,QAAQ,SACjB,EAAE,MAAM,eAAwB,GAChC;OACE,MAAM;OACQ;OAIf;AACP,aAAO,GAAG,MAAM,oBAAoB,mBAAmB,MAAM;OAC3D,mBAAmB;AACjB,YAAI,QACF,SAAQ,MACN,oBAAG,IAAI,MAAM,EAAC,aAAa,CAAC,wFAC7B;AAEH,eAAO,GAAG,KAAK;SACb,IAAI,YAAY;UAEd,MAAM,SAAU,MADD,IAAI,iBAAiB,UAAU,CACjB,OAAO,iBAAiB,EACnD,cAAc,mBACf,CAAC;UACF,MAAMA,WAAS,MAAM,GAAG,IACtB,GAAG,MAAM,QAAQ,OAAO,MAAM;WAC5B,WAAW,mBACT,GAAG,QAAQ,eAAe,OAAO;WACnC,gBACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;WACH,eACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;WACH,sBACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;WACH,oBACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;WACH,iBACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;WACH,kBACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;WACJ,CAAC,CACH;AACD,cAAI,QACF,SAAQ,MACN,oBAAG,IAAI,MAAM,EAAC,aAAa,CAAC,+CAA+CA,aAAW,OACvF;AAEH,iBAAOA;;SAET,MAAM,UAAU;SACjB,CAAC,CAAC,KACD,GAAG,SAAS,UAAmB;AAC7B,iBAAQ,MACN,sDACA,MACD;AAUD,cARE,iBAAiB,eACjB,OAAO,MAAM,SAAS,YACtB,MAAM,SAAS,QACf,OAAQ,MAAM,KAAiC,SAC7C,WACI,MAAM,KACL,OACH,UACY,yBAAyB;AACzC,cAAI,QACF,SAAQ,MACN,oBAAG,IAAI,MAAM,EAAC,aAAa,CAAC,qEAC7B;AAEH,iBAAO,GAAG,QACR,KAID;;AAEH,aAAI,QACF,SAAQ,MACN,oBAAG,IAAI,MAAM,EAAC,aAAa,CAAC,iFAC7B;AAEH,gBAAO,GAAG,QACR,OAID;UACD,CACH;;OAEH,UAAU,EAAE,cAAc,yBAAyB;QACjD,MAAM,uBACJ,mBAAmB,MAAM,MACzB,mBAAmB,MAAM;QAC3B,MAAM,oBACJ,KAAK,KAAK,GACV,KAAK,IACH,4BACA,KAAK,IACH,oCACA,uBAAuB,GACxB,CACF;QACH,MAAM,qBACJ,mBAAmB,MAAM,MAAO,oBAC5B,EAAE,MAAM,eAAwB,GAChC,EAAE,MAAM,WAAoB;AAClC,eAAO,GAAG,MAAM,oBAAoB,mBAAmB,MAAM;SAC3D,mBAAmB;AACjB,cAAI,QACF,SAAQ,MACN,oBAAG,IAAI,MAAM,EAAC,aAAa,CAAC,iEAC7B;AAEH,iBAAO,GAAG,QAAQ,OAAU;;SAE9B,eACE,GAAG,KAAK;UACN,IAAI,YAAY;WAEd,MAAM,SAAU,MADD,IAAI,iBAAiB,UAAU,CACjB,OAAO,iBAAiB,EACnD,cAAc,mBACf,CAAC;WACF,MAAMA,WAAS,MAAM,GAAG,IACtB,GAAG,MAAM,QAAQ,OAAO,MAAM;YAC5B,WAAW,mBACT,GAAG,QAAQ,eAAe,OAAO;YACnC,gBACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;YACH,eACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;YACH,sBACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;YACH,oBACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;YACH,iBACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;YACH,kBACE,GAAG,sBACD,IAAI,MACF,iDACD,CACF;YACJ,CAAC,CACH;AACD,eAAI,QACF,SAAQ,MACN,oBAAG,IAAI,MAAM,EAAC,aAAa,CAAC,+CAA+CA,aAAW,OACvF;AAEH,kBAAOA;;UAET,MAAM,UAAU;UACjB,CAAC,CAAC,KACD,GAAG,SAAS,UAAmB;AAC7B,kBAAQ,MACN,sDACA,MACD;AAUD,eARE,iBAAiB,eACjB,OAAO,MAAM,SAAS,YACtB,MAAM,SAAS,QACf,OAAQ,MAAM,KACX,SAAS,WACN,MAAM,KACL,OACH,UACY,yBAAyB;AACzC,eAAI,QACF,SAAQ,MACN,oBAAG,IAAI,MAAM,EAAC,aAAa,CAAC,qEAC7B;AAEH,kBAAO,GAAG,QACR,KAID;;AAEH,cAAI,QACF,SAAQ,MACN,oBAAG,IAAI,MAAM,EAAC,aAAa,CAAC,iFAC7B;AAEH,iBAAO,GAAG,QACR,OAID;WACD,CACH;SACJ,CAAC;;OAEL,CAAC;;KAEL,CAAC;KACF,CACH;AACD,OAAI,WAAW,OACb,QAAO;IAAE,UAAU;IAAO,SAAS,EAAE;IAAE,OAAO;IAAc;AAG9D,UAAO;IACL,UAAU;IACV,SAAS,sBACP;KACE,OAAO,QAAQ,SAAS;KACxB,cAAc,QAAQ,gBAAgB;KACtC,UAAU;KACX,EACD,MACA,cACA,gBACD;IACD,OAAO,QAAQ,SAAS;IACzB;;EAEJ"}
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
export { };
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"templates.js","names":[],"sources":["../../src/server/templates.ts"],"sourcesContent":["/**\n * Default email templates generated by the Auth library.\n *\n * These are used when the library sends emails on behalf of the developer\n * (for example magic links). The developer provides the transport via\n * `email.send`; the library provides the content.\n *\n * @module\n */\n\n/**\n * Default magic link email template.\n *\n * Clean, minimal design that works across email clients.\n * Used by the auto-registered `email` provider when `email` is\n * configured in `createAuth(...)`.\n */\n/** @internal */\nexport function defaultMagicLinkEmail(url: string, host: string): string {\n const escapedHost = host.replace(\n /[&<>\"']/g,\n (c) =>\n ({ \"&\": \"&\", \"<\": \"<\", \">\": \">\", '\"': \""\", \"'\": \"'\" })[\n c\n ]!,\n );\n\n return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n <meta charset=\"utf-8\" />\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n <title>Sign in to ${escapedHost}</title>\n</head>\n<body style=\"margin:0;padding:0;background-color:#f9fafb;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,'Helvetica Neue',Arial,sans-serif;\">\n <table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" style=\"background-color:#f9fafb;padding:40px 16px;\">\n <tr>\n <td align=\"center\">\n <table role=\"presentation\" width=\"480\" cellpadding=\"0\" cellspacing=\"0\" style=\"background-color:#ffffff;border:1px solid #e5e7eb;border-radius:8px;overflow:hidden;\">\n <tr>\n <td style=\"padding:32px 32px 0 32px;text-align:center;\">\n <h1 style=\"margin:0 0 8px 0;font-size:20px;font-weight:600;color:#111827;line-height:1.3;\">\n Sign in to ${escapedHost}\n </h1>\n </td>\n </tr>\n <tr>\n <td style=\"padding:24px 32px;\">\n <p style=\"margin:0 0 24px 0;font-size:15px;line-height:1.6;color:#4b5563;text-align:center;\">\n Click the button below to sign in. This link will expire shortly.\n </p>\n <table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\">\n <tr>\n <td align=\"center\" style=\"padding:0 0 24px 0;\">\n <a href=\"${url}\" target=\"_blank\" style=\"display:inline-block;background-color:#111827;color:#ffffff;font-size:15px;font-weight:600;text-decoration:none;padding:12px 32px;border-radius:6px;line-height:1;\">\n Sign in\n </a>\n </td>\n </tr>\n </table>\n <p style=\"margin:0 0 12px 0;font-size:13px;line-height:1.6;color:#9ca3af;\">\n If the button doesn't work, copy and paste this URL into your browser:\n </p>\n <p style=\"margin:0;font-size:13px;line-height:1.5;color:#6b7280;word-break:break-all;\">\n ${url}\n </p>\n </td>\n </tr>\n <tr>\n <td style=\"padding:20px 32px;border-top:1px solid #e5e7eb;\">\n <p style=\"margin:0;font-size:12px;line-height:1.5;color:#9ca3af;text-align:center;\">\n If you didn't request this email, you can safely ignore it.\n </p>\n </td>\n </tr>\n </table>\n </td>\n </tr>\n </table>\n</body>\n</html>`;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAkBA,SAAgB,sBAAsB,KAAa,MAAsB;CACvE,MAAM,cAAc,KAAK,QACvB,aACC,OACE;EAAE,KAAK;EAAS,KAAK;EAAQ,KAAK;EAAQ,MAAK;EAAU,KAAK;EAAS,EACtE,GAEL;AAED,QAAO;;;;;sBAKa,YAAY;;;;;;;;;;6BAUL,YAAY;;;;;;;;;;;;+BAYV,IAAI;;;;;;;;;;kBAUjB,IAAI"}
|
package/dist/server/tokens.d.ts
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
export { };
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"tokens.js","names":[],"sources":["../../src/server/tokens.ts"],"sourcesContent":["import { GenericId } from \"convex/values\";\nimport { SignJWT, importPKCS8 } from \"jose\";\n\nimport { ConvexAuthConfig } from \"./types\";\nimport { generateRandomString, TOKEN_SUB_CLAIM_DIVIDER } from \"./utils\";\nimport { requireEnv } from \"./utils\";\n\nconst DEFAULT_JWT_DURATION_MS = 1000 * 60 * 60; // 1 hour\nconst TOKEN_JTI_LENGTH = 24;\nconst TOKEN_JTI_ALPHABET =\n \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789\";\n\n/** @internal */\nexport async function generateToken(\n args: {\n userId: GenericId<\"User\">;\n sessionId: GenericId<\"Session\">;\n },\n config: ConvexAuthConfig,\n) {\n const privateKey = await importPKCS8(requireEnv(\"JWT_PRIVATE_KEY\"), \"RS256\");\n const expirationTime = new Date(\n Date.now() + (config.jwt?.durationMs ?? DEFAULT_JWT_DURATION_MS),\n );\n return await new SignJWT({\n sub: args.userId + TOKEN_SUB_CLAIM_DIVIDER + args.sessionId,\n })\n .setProtectedHeader({ alg: \"RS256\" })\n .setIssuedAt()\n .setJti(generateRandomString(TOKEN_JTI_LENGTH, TOKEN_JTI_ALPHABET))\n .setIssuer(requireEnv(\"CONVEX_SITE_URL\"))\n .setAudience(\"convex\")\n .setExpirationTime(expirationTime)\n .sign(privateKey);\n}\n"],"mappings":";;;;AAOA,MAAM,0BAA0B,MAAO,KAAK;AAC5C,MAAM,mBAAmB;AACzB,MAAM,qBACJ;;AAGF,eAAsB,cACpB,MAIA,QACA;CACA,MAAM,aAAa,MAAM,YAAY,WAAW,kBAAkB,EAAE,QAAQ;CAC5E,MAAM,iBAAiB,IAAI,KACzB,KAAK,KAAK,IAAI,OAAO,KAAK,cAAc,yBACzC;AACD,QAAO,MAAM,IAAI,QAAQ,EACvB,KAAK,KAAK,SAAS,0BAA0B,KAAK,WACnD,CAAC,CACC,mBAAmB,EAAE,KAAK,SAAS,CAAC,CACpC,aAAa,CACb,OAAO,qBAAqB,kBAAkB,mBAAmB,CAAC,CAClE,UAAU,WAAW,kBAAkB,CAAC,CACxC,YAAY,SAAS,CACrB,kBAAkB,eAAe,CACjC,KAAK,WAAW"}
|
package/dist/server/totp.d.ts
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
export { };
|
package/dist/server/totp.js.map
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"totp.js","names":["code","verifier"],"sources":["../../src/server/totp.ts"],"sourcesContent":["/**\n * Server-side TOTP ceremony logic for two-factor authentication.\n *\n * Handles the three phases of the TOTP flow:\n * 1. setup — generate a TOTP secret and `otpauth://` URI for enrollment\n * 2. confirm — verify the first code from the authenticator app\n * 3. verify — verify a TOTP code during sign-in (2FA challenge)\n */\n\nimport { encodeBase32LowerCaseNoPadding } from \"@oslojs/encoding\";\nimport { verifyTOTPWithGracePeriod, createTOTPKeyURI } from \"@oslojs/otp\";\nimport type { Fx as FxType } from \"@robelest/fx\";\nimport { Fx } from \"@robelest/fx\";\nimport { Cv } from \"@robelest/fx/convex\";\nimport type { ConvexError } from \"convex/values\";\n\nimport { userIdFromIdentitySubject } from \"./identity\";\nimport { callSignIn, callVerifier } from \"./mutations/index\";\nimport { callVerifierSignature } from \"./mutations/signature\";\nimport { TotpProviderConfig, GenericActionCtxWithAuthConfig } from \"./types\";\nimport {\n AuthDataModel,\n SessionInfo,\n queryUserById,\n queryTotpById,\n queryTotpVerifiedByUserId,\n queryVerifierById,\n mutateTotpInsert,\n mutateTotpMarkVerified,\n mutateTotpUpdateLastUsed,\n mutateVerifierDelete,\n} from \"./types\";\n\ntype EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;\n\n// ============================================================================\n// Setup flow\n// ============================================================================\n\n// ============================================================================\n// Confirm flow\n// ============================================================================\n\n// ============================================================================\n// Verify flow (2FA during sign-in)\n// ============================================================================\n\n// ============================================================================\n// Main dispatch\n// ============================================================================\n\ntype TotpResult =\n | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n | {\n kind: \"totpSetup\";\n uri: string;\n secret: string;\n verifier: string;\n totpId: string;\n };\n\nconst TOTP_FLOWS = [\"setup\", \"confirm\", \"verify\"] as const;\n\ntype TotpFlow = (typeof TOTP_FLOWS)[number];\n\ntype TotpDispatch =\n | { flow: \"setup\"; params: Record<string, unknown> }\n | { flow: \"confirm\"; code: string; totpId: string; verifier: string }\n | { flow: \"verify\"; code: string; verifier: string };\n\nconst resolveTotpFlowFx = (\n params: Record<string, unknown>,\n): FxType<TotpFlow, ConvexError<any>> => {\n const flow = params.flow;\n return typeof flow === \"string\" && TOTP_FLOWS.includes(flow as never)\n ? Fx.succeed(flow as TotpFlow)\n : Cv.fail({\n code: \"TOTP_MISSING_FLOW\",\n message:\n \"Missing `flow` parameter. Expected one of: setup, confirm, verify\",\n });\n};\n\nconst requireTotpVerifierFx = (\n verifier: string | undefined,\n): FxType<string, ConvexError<any>> =>\n verifier != null\n ? Fx.succeed(verifier)\n : Cv.fail({\n code: \"TOTP_MISSING_VERIFIER\",\n message: \"Missing verifier for TOTP operation.\",\n });\n\nconst requireTotpCodeFx = (\n params: Record<string, unknown>,\n): FxType<string, ConvexError<any>> =>\n typeof params.code === \"string\"\n ? Fx.succeed(params.code)\n : Cv.fail({ code: \"TOTP_MISSING_CODE\", message: \"Missing TOTP code.\" });\n\nconst requireTotpIdFx = (\n params: Record<string, unknown>,\n): FxType<string, ConvexError<any>> =>\n typeof params.totpId === \"string\"\n ? Fx.succeed(params.totpId)\n : Cv.fail({\n code: \"TOTP_MISSING_ID\",\n message: \"Missing TOTP enrollment ID.\",\n });\n\nconst resolveTotpDispatchFx = (\n params: Record<string, unknown>,\n verifier: string | undefined,\n): FxType<TotpDispatch, ConvexError<any>> =>\n resolveTotpFlowFx(params).pipe(\n Fx.chain((flow) =>\n Fx.match({ flow }).on(\"flow\", {\n setup: () => Fx.succeed({ flow: \"setup\" as const, params }),\n confirm: () =>\n Fx.gen(function* () {\n const resolvedVerifier = yield* requireTotpVerifierFx(verifier);\n const code = yield* requireTotpCodeFx(params);\n const totpId = yield* requireTotpIdFx(params);\n return {\n flow: \"confirm\" as const,\n code,\n totpId,\n verifier: resolvedVerifier,\n };\n }),\n verify: () =>\n Fx.gen(function* () {\n const resolvedVerifier = yield* requireTotpVerifierFx(verifier);\n const code = yield* requireTotpCodeFx(params);\n return {\n flow: \"verify\" as const,\n code,\n verifier: resolvedVerifier,\n };\n }),\n }),\n ),\n );\n\n/** @internal */\nexport const handleTotp = (\n ctx: EnrichedActionCtx,\n provider: TotpProviderConfig,\n args: { params?: Record<string, any>; verifier?: string },\n): FxType<TotpResult, ConvexError<any>> => {\n const params = (args.params ?? {}) as Record<string, unknown>;\n\n return resolveTotpDispatchFx(params, args.verifier).pipe(\n Fx.chain((dispatch) =>\n Fx.match(dispatch).on(\"flow\", {\n setup: ({ params }) =>\n Fx.from({\n ok: () => ctx.auth.getUserIdentity(),\n err: (e) =>\n Cv.error({ code: \"INTERNAL_ERROR\", message: String(e) }),\n }).pipe(\n Fx.chain((identity) =>\n identity === null\n ? Cv.fail({\n code: \"TOTP_AUTH_REQUIRED\",\n message:\n \"Sign in first, then set up two-factor authentication.\",\n })\n : Fx.succeed(userIdFromIdentitySubject(identity.subject)),\n ),\n Fx.chain((userId) =>\n Fx.from({\n ok: async () => {\n const secret = new Uint8Array(20);\n crypto.getRandomValues(secret);\n\n let accountName: string = params.accountName as string;\n if (!accountName) {\n const user = await queryUserById(ctx, userId);\n accountName = user?.email ?? \"user\";\n }\n\n const uri = createTOTPKeyURI(\n provider.options.issuer,\n accountName,\n secret,\n provider.options.period,\n provider.options.digits,\n );\n const base32Secret = encodeBase32LowerCaseNoPadding(secret);\n\n const verifier = await callVerifier(ctx);\n await callVerifierSignature(ctx, {\n verifier,\n signature: JSON.stringify({\n secret: Array.from(secret),\n userId,\n digits: provider.options.digits,\n period: provider.options.period,\n }),\n });\n\n const totpId = await mutateTotpInsert(ctx, {\n userId,\n secret: secret.buffer.slice(\n secret.byteOffset,\n secret.byteOffset + secret.byteLength,\n ),\n digits: provider.options.digits,\n period: provider.options.period,\n verified: false,\n name:\n typeof params.name === \"string\" ? params.name : undefined,\n createdAt: Date.now(),\n });\n\n return {\n kind: \"totpSetup\" as const,\n uri,\n secret: base32Secret,\n verifier,\n totpId,\n };\n },\n err: (e) =>\n Cv.error({\n code: \"INTERNAL_ERROR\",\n message: `TOTP setup failed: ${String(e)}`,\n }),\n }),\n ),\n ),\n confirm: ({ code, totpId, verifier }) =>\n Fx.from({\n ok: () => ctx.auth.getUserIdentity(),\n err: (e) =>\n Cv.error({ code: \"INTERNAL_ERROR\", message: String(e) }),\n }).pipe(\n Fx.chain((identity) =>\n identity === null\n ? Cv.fail({\n code: \"TOTP_AUTH_REQUIRED\",\n message:\n \"Sign in first, then set up two-factor authentication.\",\n })\n : Fx.succeed(userIdFromIdentitySubject(identity.subject)),\n ),\n Fx.chain((userId) =>\n Fx.from({\n ok: () => queryTotpById(ctx, totpId),\n err: () =>\n Cv.error({\n code: \"TOTP_NOT_FOUND\",\n message: \"TOTP enrollment not found.\",\n }),\n })\n .pipe(\n Fx.chain((doc) =>\n doc === null\n ? Cv.fail({\n code: \"TOTP_NOT_FOUND\",\n message: \"TOTP enrollment not found.\",\n })\n : Fx.succeed(doc),\n ),\n Fx.chain((totpDoc) =>\n totpDoc.verified\n ? Cv.fail({\n code: \"TOTP_ALREADY_VERIFIED\",\n message: \"TOTP enrollment is already verified.\",\n })\n : Fx.succeed(totpDoc),\n ),\n )\n .pipe(\n Fx.chain((totpDoc) =>\n verifyTOTPWithGracePeriod(\n new Uint8Array(totpDoc.secret),\n provider.options.period,\n provider.options.digits,\n code,\n 30,\n )\n ? Fx.succeed(totpDoc)\n : Cv.fail({\n code: \"TOTP_INVALID_CODE\",\n message: \"Invalid TOTP code.\",\n }),\n ),\n )\n .pipe(\n Fx.chain((_totpDoc) =>\n Fx.from({\n ok: async () => {\n await mutateTotpMarkVerified(ctx, totpId, Date.now());\n await mutateVerifierDelete(ctx, verifier);\n return callSignIn(ctx, {\n userId,\n generateTokens: true,\n });\n },\n err: (e) =>\n Cv.error({\n code: \"INTERNAL_ERROR\",\n message: String(e),\n }),\n }),\n ),\n )\n .pipe(\n Fx.map((signInResult) => ({\n kind: \"signedIn\" as const,\n signedIn: signInResult,\n })),\n ),\n ),\n ),\n verify: ({ code, verifier }) =>\n Fx.from({\n ok: () => queryVerifierById(ctx, verifier),\n err: () =>\n Cv.error({\n code: \"TOTP_INVALID_VERIFIER\",\n message: \"Invalid or expired TOTP verifier.\",\n }),\n }).pipe(\n Fx.chain((doc) =>\n doc === null\n ? Cv.fail({\n code: \"TOTP_INVALID_VERIFIER\",\n message: \"Invalid or expired TOTP verifier.\",\n })\n : Fx.succeed(doc),\n ),\n Fx.map((doc) => {\n const data = JSON.parse(doc.signature!);\n return { userId: data.userId as string, code, verifier };\n }),\n Fx.chain(({ userId, code, verifier }) =>\n Fx.from({\n ok: () => queryTotpVerifiedByUserId(ctx, userId),\n err: () =>\n Cv.error({\n code: \"TOTP_NO_ENROLLMENT\",\n message: \"No verified TOTP enrollment found.\",\n }),\n }).pipe(\n Fx.chain((totpDoc) =>\n totpDoc === null\n ? Cv.fail({\n code: \"TOTP_NO_ENROLLMENT\",\n message: \"No verified TOTP enrollment found.\",\n })\n : Fx.succeed(totpDoc),\n ),\n Fx.chain((totpDoc) =>\n verifyTOTPWithGracePeriod(\n new Uint8Array(totpDoc.secret),\n totpDoc.period,\n totpDoc.digits,\n code,\n 30,\n )\n ? Fx.succeed(totpDoc)\n : Cv.fail({\n code: \"TOTP_INVALID_CODE\",\n message: \"Invalid TOTP code.\",\n }),\n ),\n Fx.chain((totpDoc) =>\n Fx.from({\n ok: async () => {\n await mutateTotpUpdateLastUsed(\n ctx,\n totpDoc._id,\n Date.now(),\n );\n await mutateVerifierDelete(ctx, verifier);\n return callSignIn(ctx, { userId, generateTokens: true });\n },\n err: (e) =>\n Cv.error({ code: \"INTERNAL_ERROR\", message: String(e) }),\n }),\n ),\n Fx.map((signInResult) => ({\n kind: \"signedIn\" as const,\n signedIn: signInResult,\n })),\n ),\n ),\n ),\n }),\n ),\n );\n};\n\n// ============================================================================\n// Helpers\n// ============================================================================\n"],"mappings":";;;;;;;;;;;;;;;;;;;AA6DA,MAAM,aAAa;CAAC;CAAS;CAAW;CAAS;AASjD,MAAM,qBACJ,WACuC;CACvC,MAAM,OAAO,OAAO;AACpB,QAAO,OAAO,SAAS,YAAY,WAAW,SAAS,KAAc,GACjE,GAAG,QAAQ,KAAiB,GAC5B,GAAG,KAAK;EACN,MAAM;EACN,SACE;EACH,CAAC;;AAGR,MAAM,yBACJ,aAEA,YAAY,OACR,GAAG,QAAQ,SAAS,GACpB,GAAG,KAAK;CACN,MAAM;CACN,SAAS;CACV,CAAC;AAER,MAAM,qBACJ,WAEA,OAAO,OAAO,SAAS,WACnB,GAAG,QAAQ,OAAO,KAAK,GACvB,GAAG,KAAK;CAAE,MAAM;CAAqB,SAAS;CAAsB,CAAC;AAE3E,MAAM,mBACJ,WAEA,OAAO,OAAO,WAAW,WACrB,GAAG,QAAQ,OAAO,OAAO,GACzB,GAAG,KAAK;CACN,MAAM;CACN,SAAS;CACV,CAAC;AAER,MAAM,yBACJ,QACA,aAEA,kBAAkB,OAAO,CAAC,KACxB,GAAG,OAAO,SACR,GAAG,MAAM,EAAE,MAAM,CAAC,CAAC,GAAG,QAAQ;CAC5B,aAAa,GAAG,QAAQ;EAAE,MAAM;EAAkB;EAAQ,CAAC;CAC3D,eACE,GAAG,IAAI,aAAa;EAClB,MAAM,mBAAmB,OAAO,sBAAsB,SAAS;AAG/D,SAAO;GACL,MAAM;GACN,MAJW,OAAO,kBAAkB,OAAO;GAK3C,QAJa,OAAO,gBAAgB,OAAO;GAK3C,UAAU;GACX;GACD;CACJ,cACE,GAAG,IAAI,aAAa;EAClB,MAAM,mBAAmB,OAAO,sBAAsB,SAAS;AAE/D,SAAO;GACL,MAAM;GACN,MAHW,OAAO,kBAAkB,OAAO;GAI3C,UAAU;GACX;GACD;CACL,CAAC,CACH,CACF;;AAGH,MAAa,cACX,KACA,UACA,SACyC;AAGzC,QAAO,sBAFS,KAAK,UAAU,EAAE,EAEI,KAAK,SAAS,CAAC,KAClD,GAAG,OAAO,aACR,GAAG,MAAM,SAAS,CAAC,GAAG,QAAQ;EAC5B,QAAQ,EAAE,aACR,GAAG,KAAK;GACN,UAAU,IAAI,KAAK,iBAAiB;GACpC,MAAM,MACJ,GAAG,MAAM;IAAE,MAAM;IAAkB,SAAS,OAAO,EAAE;IAAE,CAAC;GAC3D,CAAC,CAAC,KACD,GAAG,OAAO,aACR,aAAa,OACT,GAAG,KAAK;GACN,MAAM;GACN,SACE;GACH,CAAC,GACF,GAAG,QAAQ,0BAA0B,SAAS,QAAQ,CAAC,CAC5D,EACD,GAAG,OAAO,WACR,GAAG,KAAK;GACN,IAAI,YAAY;IACd,MAAM,SAAS,IAAI,WAAW,GAAG;AACjC,WAAO,gBAAgB,OAAO;IAE9B,IAAI,cAAsB,OAAO;AACjC,QAAI,CAAC,YAEH,gBADa,MAAM,cAAc,KAAK,OAAO,GACzB,SAAS;IAG/B,MAAM,MAAM,iBACV,SAAS,QAAQ,QACjB,aACA,QACA,SAAS,QAAQ,QACjB,SAAS,QAAQ,OAClB;IACD,MAAM,eAAe,+BAA+B,OAAO;IAE3D,MAAM,WAAW,MAAM,aAAa,IAAI;AACxC,UAAM,sBAAsB,KAAK;KAC/B;KACA,WAAW,KAAK,UAAU;MACxB,QAAQ,MAAM,KAAK,OAAO;MAC1B;MACA,QAAQ,SAAS,QAAQ;MACzB,QAAQ,SAAS,QAAQ;MAC1B,CAAC;KACH,CAAC;AAgBF,WAAO;KACL,MAAM;KACN;KACA,QAAQ;KACR;KACA,QAnBa,MAAM,iBAAiB,KAAK;MACzC;MACA,QAAQ,OAAO,OAAO,MACpB,OAAO,YACP,OAAO,aAAa,OAAO,WAC5B;MACD,QAAQ,SAAS,QAAQ;MACzB,QAAQ,SAAS,QAAQ;MACzB,UAAU;MACV,MACE,OAAO,OAAO,SAAS,WAAW,OAAO,OAAO;MAClD,WAAW,KAAK,KAAK;MACtB,CAAC;KAQD;;GAEH,MAAM,MACJ,GAAG,MAAM;IACP,MAAM;IACN,SAAS,sBAAsB,OAAO,EAAE;IACzC,CAAC;GACL,CAAC,CACH,CACF;EACH,UAAU,EAAE,MAAM,QAAQ,eACxB,GAAG,KAAK;GACN,UAAU,IAAI,KAAK,iBAAiB;GACpC,MAAM,MACJ,GAAG,MAAM;IAAE,MAAM;IAAkB,SAAS,OAAO,EAAE;IAAE,CAAC;GAC3D,CAAC,CAAC,KACD,GAAG,OAAO,aACR,aAAa,OACT,GAAG,KAAK;GACN,MAAM;GACN,SACE;GACH,CAAC,GACF,GAAG,QAAQ,0BAA0B,SAAS,QAAQ,CAAC,CAC5D,EACD,GAAG,OAAO,WACR,GAAG,KAAK;GACN,UAAU,cAAc,KAAK,OAAO;GACpC,WACE,GAAG,MAAM;IACP,MAAM;IACN,SAAS;IACV,CAAC;GACL,CAAC,CACC,KACC,GAAG,OAAO,QACR,QAAQ,OACJ,GAAG,KAAK;GACN,MAAM;GACN,SAAS;GACV,CAAC,GACF,GAAG,QAAQ,IAAI,CACpB,EACD,GAAG,OAAO,YACR,QAAQ,WACJ,GAAG,KAAK;GACN,MAAM;GACN,SAAS;GACV,CAAC,GACF,GAAG,QAAQ,QAAQ,CACxB,CACF,CACA,KACC,GAAG,OAAO,YACR,0BACE,IAAI,WAAW,QAAQ,OAAO,EAC9B,SAAS,QAAQ,QACjB,SAAS,QAAQ,QACjB,MACA,GACD,GACG,GAAG,QAAQ,QAAQ,GACnB,GAAG,KAAK;GACN,MAAM;GACN,SAAS;GACV,CAAC,CACP,CACF,CACA,KACC,GAAG,OAAO,aACR,GAAG,KAAK;GACN,IAAI,YAAY;AACd,UAAM,uBAAuB,KAAK,QAAQ,KAAK,KAAK,CAAC;AACrD,UAAM,qBAAqB,KAAK,SAAS;AACzC,WAAO,WAAW,KAAK;KACrB;KACA,gBAAgB;KACjB,CAAC;;GAEJ,MAAM,MACJ,GAAG,MAAM;IACP,MAAM;IACN,SAAS,OAAO,EAAE;IACnB,CAAC;GACL,CAAC,CACH,CACF,CACA,KACC,GAAG,KAAK,kBAAkB;GACxB,MAAM;GACN,UAAU;GACX,EAAE,CACJ,CACJ,CACF;EACH,SAAS,EAAE,MAAM,eACf,GAAG,KAAK;GACN,UAAU,kBAAkB,KAAK,SAAS;GAC1C,WACE,GAAG,MAAM;IACP,MAAM;IACN,SAAS;IACV,CAAC;GACL,CAAC,CAAC,KACD,GAAG,OAAO,QACR,QAAQ,OACJ,GAAG,KAAK;GACN,MAAM;GACN,SAAS;GACV,CAAC,GACF,GAAG,QAAQ,IAAI,CACpB,EACD,GAAG,KAAK,QAAQ;AAEd,UAAO;IAAE,QADI,KAAK,MAAM,IAAI,UAAW,CACjB;IAAkB;IAAM;IAAU;IACxD,EACF,GAAG,OAAO,EAAE,QAAQ,cAAM,2BACxB,GAAG,KAAK;GACN,UAAU,0BAA0B,KAAK,OAAO;GAChD,WACE,GAAG,MAAM;IACP,MAAM;IACN,SAAS;IACV,CAAC;GACL,CAAC,CAAC,KACD,GAAG,OAAO,YACR,YAAY,OACR,GAAG,KAAK;GACN,MAAM;GACN,SAAS;GACV,CAAC,GACF,GAAG,QAAQ,QAAQ,CACxB,EACD,GAAG,OAAO,YACR,0BACE,IAAI,WAAW,QAAQ,OAAO,EAC9B,QAAQ,QACR,QAAQ,QACRA,QACA,GACD,GACG,GAAG,QAAQ,QAAQ,GACnB,GAAG,KAAK;GACN,MAAM;GACN,SAAS;GACV,CAAC,CACP,EACD,GAAG,OAAO,YACR,GAAG,KAAK;GACN,IAAI,YAAY;AACd,UAAM,yBACJ,KACA,QAAQ,KACR,KAAK,KAAK,CACX;AACD,UAAM,qBAAqB,KAAKC,WAAS;AACzC,WAAO,WAAW,KAAK;KAAE;KAAQ,gBAAgB;KAAM,CAAC;;GAE1D,MAAM,MACJ,GAAG,MAAM;IAAE,MAAM;IAAkB,SAAS,OAAO,EAAE;IAAE,CAAC;GAC3D,CAAC,CACH,EACD,GAAG,KAAK,kBAAkB;GACxB,MAAM;GACN,UAAU;GACX,EAAE,CACJ,CACF,CACF;EACJ,CAAC,CACH,CACF"}
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","names":[],"sources":["../../src/server/types.ts"],"mappings":";;;;;;;;;;;;;;;;;;;;;;KAqCY,SAAA,MAAe,CAAA,GAAI,WAAA,CAAY,CAAA;;;;;;AAA3C;;;KAUY,kBAAA;EAV+B,+DAYzC,EAAA,WAZwC;EAcxC,KAAA,WAdoB;EAgBpB,MAAA;AAAA;;;;AANF;;;;;KAiBY,uBAAA;EACV,KAAA,EAAO,MAAA,SAAe,kBAAA;AAAA;;AADxB;;;;;;;;;KAcY,UAAA,wBACa,uBAAA,gBACrB,cAAA;EAAyB,KAAA,uBAA4B,MAAA;AAAA,UAC/C,MAAA;;;;;;;;;;;KAaE,SAAA,wBACa,uBAAA,gBACrB,cAAA;EACF,KAAA,uBAA4B,MAAA;IAAiB,MAAA;EAAA;AAAA,IAE3C,MAAA,OAAa,MAAA;AALjB;;;AAAA,KAWY,gBAAA;EATR;;;;;;EAgBF,SAAA,EAAW,kBAAA;EAjBY;;;;;;EAwBvB,SAAA,EAAW,gBAAA;EApBI;;;EAwBf,OAAA;IAlB0B;;;;;;;IA0BxB,eAAA;IAsHc;;;;;;;IA9Gd,kBAAA;EAAA;EA6Ka;;;EAxKf,GAAA;IAyLe;;;;;;;IAjLb,UAAA;EAAA;EAAA;;;EAKF,MAAA;IA0DE;;;;;;;;;IAhDA,wBAAA;EAAA;EAkFI;;;;;;;EAzEN,SAAA;IA0FM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiFR;;;;;;;IApII,QAAA,IAAY,MAAA;MAyI8B;;;MArIxC,UAAA;IAAA,MACI,OAAA;IA0IN;;;;;;;;;;;IA9HA,kBAAA,IACE,GAAA,EAAK,kBAAA,CAAmB,YAAA,GACxB,IAAA;MAwIF;;;;MAnII,cAAA,EAAgB,SAAA;MAmIH;;;;MA9Hb,IAAA;MA8Ha;;;;MAzHb,QAAA,EAAU,8BAAA;MA8GK;;;;;;;MAtGf,OAAA,EAAS,MAAA;QACP,KAAA;QACA,KAAA;QACA,aAAA;QACA,aAAA;MAAA;MA2GN;;;MAtGI,UAAA;IAAA,MAEC,OAAA,CAAQ,SAAA;IAsGI;AAMrB;;;;;AAWA;;;;;AAQA;;;IAhHI,yBAAA,IACE,GAAA,EAAK,kBAAA,CAAmB,YAAA,GACxB,IAAA;MA8GmC;AASzC;;MAnHQ,MAAA,EAAQ,SAAA;MAmHyB;;AAWzC;;MAzHQ,cAAA,EAAgB,SAAA;MAyHa;;AAUrC;;MA9HQ,IAAA;MAkII;;;;MA7HJ,QAAA,EAAU,8BAAA;MA6IP;;;;;;;MArIH,OAAA,EAAS,MAAA;QACP,KAAA;QACA,KAAA;QACA,aAAA;QACA,aAAA;MAAA;MAuHE;;;MAlHJ,UAAA;IAAA,MAEC,OAAA;EAAA;EAuHH;;;EAlHJ,aAAA;IACE,KAAA,EAAO,MAAA;MAGH,KAAA;MACA,MAAA;IAAA;EAAA;AAAA;;;;;;;;;KAcI,kBAAA,GAAkB,qBAAA,GACwB,QAAA,GACV,OAAA,GACF,IAAA,GACN,SAAA,GACU,MAAA,GACN,GAAA,GACN,KAAA,GACI,KAAA,GAElC,uBAAA,GACA,uBAAA,QACK,IAAA,UAAc,uBAAA,IACnB,WAAA,QACK,IAAA,UAAc,WAAA,IACnB,WAAA,QACK,IAAA,UAAc,WAAA,IACnB,qBAAA,QACK,IAAA,UAAc,qBAAA,IACnB,kBAAA,QACK,IAAA,UAAc,kBAAA,IACnB,oBAAA,QACK,IAAA,UAAc,oBAAA,IACnB,iBAAA;;;;;UAMa,iBAAA;EACf,EAAA;EACA,IAAA;AAAA;;;;;;;KASU,8BAAA;;;;;AA8FZ;;KAtFY,6BAAA;;;;;;;;KASA,6BAAA;;;;;;;KAWA,yBAAA;;;;;;;;;UAUK,gBAAA;EACf,OAAA;EACA,QAAA;IACE,cAAA;MACE,IAAA,EAAM,8BAAA;MACN,IAAA,EAAM,8BAAA;IAAA;EAAA;EAGV,YAAA;IACE,SAAA;MACE,IAAA,EAAM,6BAAA;IAAA;IAER,GAAA;MACE,IAAA,EAAM,6BAAA;MACN,cAAA;IAAA;IAEF,WAAA;MACE,IAAA,EAAM,yBAAA;IAAA;EAAA;EAGV,MAAA,GAAS,MAAA;AAAA;;;;;;;UASM,qBAAA;EACf,QAAA;IACE,cAAA;MACE,IAAA,GAAO,8BAAA;MACP,IAAA,GAAO,8BAAA;IAAA;EAAA;EAGX,YAAA;IACE,SAAA;MACE,IAAA,GAAO,6BAAA;IAAA;IAET,GAAA;MACE,IAAA,GAAO,6BAAA;MACP,cAAA;IAAA;IAEF,WAAA;MACE,IAAA,GAAO,yBAAA;IAAA;EAAA;EAGX,MAAA,GAAS,MAAA;AAAA;;;;;;UAQM,WAAA,mBACG,gBAAA,GAAmB,gBAAA;EA+EtB;EA5Ef,EAAA;EA4E0B;EA1E1B,IAAA;EA2EqC;EAzErC,IAAA;EAyFc;EAvFd,IAAA;EA0FO;;;;;EApFP,MAAA;EAqHW;;;;;;EA9GX,uBAAA,GACE,MAAA;IACE,UAAA;IACA,GAAA;IACA,OAAA,EAAS,IAAA;IACT,QAAA,EAAU,WAAA;IACV,KAAA;IACA,OAAA,EAAS,OAAA;EAAA,GAEX,GAAA,GAAM,gBAAA,CAAiB,YAAA,MACpB,SAAA;EA8DD;;;;;EAxDJ,yBAAA,SAAkC,SAAA;EAsDhC;;;;EAjDF,mBAAA,IAAuB,UAAA;EA6DvB;;;;;;;EArDA,SAAA;EAgFE;;;EA5EA,MAAA,EAAQ,MAAA,SAAe,KAAA,eACvB,OAAA,EAAS,UAAA,CAAW,SAAA,iBACjB,OAAA;EA4EA;EA1EL,OAAA,EAAS,eAAA,CAAgB,SAAA;AAAA;;;;AAqF3B;;;;KA3EY,eAAA,mBACQ,gBAAA,GAAmB,gBAAA,IACnC,IAAA,CAAK,OAAA,CAAQ,WAAA,CAAY,SAAA;;;;;;;UAQZ,WAAA,mBACG,gBAAA,GAAmB,gBAAA;EAErC,EAAA;EACA,IAAA;EA+DE;;;EA3DF,MAAA;EA2DoC;;AAKtC;EA5DE,uBAAA,GACE,MAAA;IACE,UAAA;IACA,GAAA;IACA,OAAA,EAAS,IAAA;IACT,QAAA,EAAU,WAAA;IACV,KAAA;EAAA,GAEF,GAAA,EAAK,8BAAA,CAA+B,SAAA,MACjC,OAAA;EAqDH;AAMJ;;EAvDE,MAAA;EAuDoC;;;;;;;;EA9CpC,yBAAA,SAAkC,OAAA;EAyEhC;;;;;EAnEF,mBAAA,IAAuB,UAAA;EAwFR;;;;;;;EAhFf,SAAA;EA2FE;;;EAvFA,MAAA,EAAQ,MAAA,SAAe,KAAA,eACvB,OAAA,EAAS,UAAA,CAAW,SAAA,iBACjB,OAAA;EACL,OAAA,EAAS,eAAA,CAAgB,SAAA;AAAA;;;;;;;;KAUf,eAAA,mBACQ,gBAAA,GAAmB,gBAAA,IACnC,IAAA,CAAK,OAAA,CAAQ,WAAA,CAAY,SAAA;;AAoH7B;;KA/GY,uBAAA,GAA0B,iBAAA;EACpC,IAAA;EACA,EAAA;AAAA;;;;UAMe,qBAAA;EACf,EAAA;EACA,IAAA;EACA,OAAA;IA+GS,iEA7GP,MAAA,WA+GA;IA7GA,IAAA,WA+GA;IA7GA,MAAA;IAgHF;;;AAIF;;IA9GI,WAAA;IAgH6B;;;;;IA1G7B,gBAAA;IA8GQ;;;;;IAxGR,WAAA,6CA2GA;IAzGA,uBAAA;IA0GM;;AAKV;;;IAzGI,UAAA;IA0GF;;;;;IApGE,qBAAA;EAAA;AAAA;;;;UAOa,kBAAA;EACf,EAAA;EACA,IAAA;EACA,OAAA;IAgGY,+DA9FV,MAAA;IA+FO;;;;AAIX;IA7FI,MAAA;IA8FM;;;;;IAxFN,MAAA;EAAA;AAAA;AA6FJ;;;;;AAAA,UAhFiB,YAAA;EACf,EAAA;EACA,IAAA;EACA,KAAA;EACA,KAAA;EAgFQ;EAAA,CA9EP,GAAA;AAAA;;KAmBS,sBAAA;EAgEY,iEA9DtB,EAAA,UA8DY;EA5DZ,MAAA;AAAA;;KAIU,qBAAA;EACV,QAAA;EACA,OAAA,EAAS,sBAAA;EACT,OAAA,EAAS,MAAA;IACP,KAAA;IACA,KAAA;IACA,aAAA;IACA,aAAA;EAAA;EAEF,kBAAA;EACA,kBAAA;AAAA;;KAIU,uBAAA;EACV,QAAA;EACA,OAAA,EAAS,sBAAA;AAAA;;KAIC,qBAAA;EACV,QAAA;EACA,OAAA;IACE,EAAA;IACA,MAAA;EAAA;AAAA;;KAKQ,0BAAA;EACV,MAAA,EAAQ,SAAA;EACR,MAAA,GAAS,SAAA;AAAA;;KAIC,sBAAA;EACV,SAAA,GAAY,SAAA;EACZ,MAAA,GAAS,MAAA,SAAe,KAAA;AAAA;;KAId,wBAAA;EACV,MAAA,EAAQ,SAAA;EACR,SAAA,EAAW,SAAA;AAAA;;KAID,qBAAA;EACV,MAAA,EAAQ,SAAA;EACR,OAAA,EAAS,SAAA;EACT,QAAA;EACA,QAAA;AAAA;;KAIU,uBAAA;EACV,UAAA,EAAY,UAAA,CAAW,gBAAA;EACvB,OAAA;EACA,MAAA;AAAA;;KAIU,qBAAA,GAAwB,qBAAA;EAClC,OAAA;EACA,MAAA;AAAA;;;;;;;;;;;;;;;;;;;KAqBU,iBAAA;EAcc,iFAZxB,OAAA;IACE,MAAA,GACE,GAAA,EAAK,gBAAA,OACL,IAAA,EAAM,qBAAA,KACH,OAAA;MACH,OAAA,EAAS,UAAA,CAAW,gBAAA;MACpB,IAAA,EAAM,UAAA,CAAW,gBAAA;IAAA;IAEnB,GAAA,GACE,GAAA,EAAK,gBAAA,OACL,IAAA,EAAM,uBAAA,KACH,OAAA;MACH,OAAA,EAAS,UAAA,CAAW,gBAAA;MACpB,IAAA,EAAM,UAAA,CAAW,gBAAA;IAAA;IAEnB,MAAA,GACE,GAAA,EAAK,gBAAA,OACL,IAAA,EAAM,qBAAA,KACH,OAAA;MAAU,SAAA,EAAW,SAAA;IAAA;EAAA;EAE5B,OAAA;IACE,OAAA,GAAU,GAAA;MACR,IAAA,EAAM,gBAAA,CAAiB,gBAAA;IAAA,MACnB,OAAA,CAAQ,SAAA;IACd,UAAA,GACE,GAAA,EAAK,gBAAA,OACL,IAAA,EAAM,0BAAA,KACH,OAAA;MACH,MAAA,EAAQ,SAAA;MACR,MAAA,EAAQ,SAAA;IAAA;EAAA;EAGZ,MAAA;IACE,OAAA,GACE,GAAA,EAAK,gBAAA,OACL,IAAA,EAAM,qBAAA,KACH,OAAA,CAAQ,uBAAA;IACb,OAAA,GACE,GAAA,EAAK,gBAAA,OACL,IAAA,EAAM,qBAAA,KACH,OAAA,CAAQ,uBAAA;EAAA;EAEf,QAAA;IACE,MAAA,GACE,GAAA,EAAK,gBAAA,OACL,QAAA,EAAU,kBAAA,EACV,IAAA,EAAM,sBAAA,KACH,OAAA,CAAQ,wBAAA;EAAA;AAAA;;;;;;;KAUL,8BAAA,mBAAiD,gBAAA,IAC3D,gBAAA,CAAiB,SAAA;EACf,IAAA,EAAM,gBAAA,CAAiB,SAAA;IACrB,MAAA,EAAQ,4BAAA;EAAA,IACN,iBAAA;AAAA;;;;;;;KASI,4BAAA;EACV,SAAA,EAAW,8BAAA;AAAA,IACT,IAAA,CACF,gBAAA;;;;;;;UAUe,oBAAA;EA1ByB;EA4BxC,OAAA;EA5B2D;EA8B3D,KAAA;EA7BA;EA+BA,IAAA;EA9BQ;EAgCR,SAAA;EA9BM;EAgCN,QAAA;AAAA;;;;;;;UASe,uBAAA;EA1CX;;;;EAAA,SA+CK,EAAA;EArCC;;;;EAAA,SA0CD,IAAA;EAxCP;;;;EAAA,SA6CO,QAAA;EA7CP;;;;EAAA,SAkDO,MAAA;EAvC0B;;;;EAAA,SA4C1B,OAAA,IACP,MAAA,EA1BoC,OAAA,CA0BX,YAAA,KACtB,OAAA,CAAQ,YAAA;EAxCb;;;;EAAA,SA6CS,cAAA;AAAA;;;;;;;UASM,oBAAA;EACf,EAAA;EACA,IAAA;EA5BS;EA8BT,OAAA;EApBS;EAsBT,cAAA;EArBE;EAuBF,SAAA;EAtBa;EAwBb,QAAA;EAnBuB;;AASzB;;;;EAiBE,eAAA;AAAA;;;;KAMU,8BAAA,GACR,uBAAA,GACA,WAAA,GACA,WAAA,GACA,uBAAA,GACA,qBAAA,GACA,kBAAA,GACA,oBAAA,GACA,iBAAA;;;;AARJ;;;KAgBY,MAAA,WAAiB,kBAAA,MAAkB,GAAA,SACN,CAAA;AAAA,KAE7B,kBAAA,WAA6B,kBAAA,MAAkB,OAAA,SACV,CAAA;AAAA,KAErC,eAAA,WAA0B,kBAAA,MAAkB,IAAA,SACb,CAAA;AAAA,KAE/B,iBAAA,WAA4B,kBAAA,MAAkB,MAAA,SACX,CAAA;;;;;;;;;UAc9B,QAAA;EACf,QAAA;EACA,OAAA;AAAA;;;;;AA1BF;;;;;;;UAwCiB,YAAA;EAxCE;EA0CjB,GAAA,CAAI,QAAA,UAAkB,MAAA;EA1CuB;EA4C7C,MAAA,EAAQ,QAAA;AAAA;;AAzCV;;;UAgDiB,SAAA;EAhD0C;EAkDzD,GAAA;EAjDgD;EAmDhD,MAAA;EApD6B;EAsD7B,MAAA;EAtDyD;EAwDzD,IAAA;EAvDgD;EAyDhD,MAAA,EAAQ,QAAA;EAvDE;EAyDV,SAAA;IAAc,WAAA;IAAqB,QAAA;EAAA;EAxDM;EA0DzC,SAAA;EA1D0C;EA4D1C,UAAA;EA7DoC;EA+DpC,SAAA;EA9DyC;EAgEzC,OAAA;EAhE0C;EAkE1C,QAAA,GAAW,MAAA;AAAA;;;;;;;;;;;;;AAjDb;;;;KAwEY,WAAA,gBACK,MAAA;EAzDA,8DA6Df,KAAA,GAAQ,MAAA;EAER,KAAA,WA7DA;EA+DA,MAAA,kBA/DsB;EAiEtB,OAAA,GAAU,QAAA,EA/DF;EAiER,KAAA;AAAA;AA1DF;;;;;AAAA,KAkEY,UAAA;EA5DV,yBA8DA,KAAA,EAAO,CAAA,IA1DP;EA4DA,UAAA;AAAA;;;;;;;KAWU,QAAA;EACV,GAAA;EACA,KAAA;AAAA;AAtCF;AAAA,KA0CY,UAAA;EACV,IAAA;EACA,IAAA;EACA,aAAA;EACA,IAAA,WAnCkB;EAqClB,MAAA;EA/CA;;;;EAoDA,OAAA,GAAU,QAAA;EA9CV;;;;EAmDA,OAAA,GAAU,QAAA;AAAA;;KAIA,YAAA;;KAGA,WAAA;EACV,OAAA;EACA,MAAA;EACA,MAAA;EACA,MAAA;AAAA;;KAIU,aAAA;AArCZ;AAAA,KAwCY,WAAA;EACV,SAAA;EACA,OAAA;EACA,MAAA;EACA,KAAA;EACA,eAAA;EACA,MAAA;EACA,gBAAA;AAAA;;KAIU,aAAA;;KAQA,QAAA;EACV,MAAA;EACA,OAAA;EACA,IAAA;EACA,MAAA;AAAA;;KAIU,UAAA;;KAQA,SAAA;EACV,KAAA;EACA,KAAA;EACA,WAAA;EACA,IAAA;AAAA;;KAIU,WAAA;;;;;;AA9CZ;;;;;AAGA;;;;;;;UAkEiB,cAAA;EACf,GAAA;IA7DA,kDA+DE,MAAA,UA9Dc;IAgEd,KAAA,UA5DQ;IA8DR,MAAA,EAAQ,YAAA;EAAA;AAAA;;AAtDZ;;UA6DiB,UAAA;EA7DG;EA+DlB,MAAA;EA7DA;EA+DA,OAAA;EA7DA;EA+DA,OAAA;AAAA;AA3DF;;;AAAA,KAySY,UAAA,mBACQ,gBAAA,oBACA,qBAAA,CAAsB,SAAA,KACtC,cAAA,CAAe,SAAA,EAAW,SAAA;EAC5B,GAAA,EAAK,SAAA,CAAU,SAAA;EACf,aAAA;AAAA;;KAwCU,aAAA,GAAgB,6BAAA,QAAqC,QAAA;;KAGrD,SAAA,GAAY,gBAAA,CAAiB,aAAA;;KAG7B,WAAA,GAAc,kBAAA,CAAmB,aAAA;;KAGjC,QAAA,GAAW,eAAA,CAAgB,aAAA;AA/UvC;AAAA,KAkVY,GAAA,WAAc,qBAAA,CAAsB,aAAA,KAAkB,UAAA,CAChE,aAAA,EACA,CAAA;;KAIU,MAAA;EAAW,KAAA;EAAe,YAAA;AAAA;;KAG1B,WAAA;EACV,MAAA,EAAQ,SAAA;EACR,SAAA,EAAW,SAAA;EACX,MAAA,EAAQ,MAAA;AAAA;;KAIE,qBAAA;EACV,MAAA,EAAQ,SAAA;EACR,SAAA,EAAW,SAAA;EACX,MAAA,EAAQ,MAAA;AAAA;AAAA,KAUE,OAAA,GAAU,KAAA,QAAa,cAAA;AAAA,KAEvB,UAAA,GAAa,KAAA,QAAa,WAAA;AAAA,KAE1B,WAAA,GAAc,KAAA,QAAa,gBAAA;AAAA,KAc3B,MAAA,GAAS,KAAA,QAAa,UAAA;AAAA,iBAyBZ,aAAA,CACpB,GAAA,EAAK,gBAAA,EACL,MAAA,WACC,OAAA,CAAQ,qBAAA;AAAA,iBAMW,wBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,KAAA,WACC,OAAA,CAAQ,qBAAA;AAAA,iBASW,iBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,UAAA,WACC,OAAA,CAAQ,WAAA;AAAA,iBAMW,oBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,UAAA,WACC,OAAA;AAAA,iBAQmB,aAAA,CACpB,GAAA,EAAK,gBAAA,EACL,MAAA,WACC,OAAA,CAAQ,OAAA;AAAA,iBAMW,yBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,MAAA,WACC,OAAA,CAAQ,OAAA;AAAA,iBAOW,gBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,IAAA;EACE,MAAA;EACA,MAAA,EAAQ,WAAA;EACR,MAAA;EACA,MAAA;EACA,QAAA;EACA,IAAA;EACA,SAAA;AAAA,IAED,OAAA;AAAA,iBAOmB,sBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,MAAA,UACA,UAAA,WACC,OAAA;AAAA,iBAOmB,wBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,MAAA,UACA,UAAA,WACC,OAAA;AAAA,iBASmB,qBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,MAAA,WACC,OAAA,CAAQ,UAAA;AAAA,iBAOW,0BAAA,CACpB,GAAA,EAAK,gBAAA,EACL,YAAA,WACC,OAAA,CAAQ,UAAA;AAAA,iBAOW,mBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,IAAA;EACE,MAAA;EACA,YAAA;EACA,SAAA,EAAW,WAAA,GAAc,eAAA;EACzB,SAAA;EACA,OAAA;EACA,UAAA;EACA,UAAA;EACA,QAAA;EACA,IAAA;EACA,SAAA;AAAA,IAED,OAAA;AAAA,iBAOmB,0BAAA,CACpB,GAAA,EAAK,gBAAA,EACL,SAAA,UACA,OAAA,UACA,UAAA,WACC,OAAA;AAAA,iBAUmB,eAAA,CACpB,GAAA,EAAK,gBAAA,EACL,IAAA;EACE,MAAA;EACA,MAAA;EACA,SAAA;EACA,IAAA;EACA,MAAA,EAAQ,KAAA;IAAQ,QAAA;IAAkB,OAAA;EAAA;EAClC,SAAA;IAAc,WAAA;IAAqB,QAAA;EAAA;EACnC,SAAA;AAAA,IAED,OAAA;AAAA,iBAOmB,iBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,MAAA,WACC,OAAA,CAAQ,MAAA;AAAA,iBAkBW,YAAA,CACpB,GAAA,EAAK,gBAAA,EACL,KAAA,WACC,OAAA,CAAQ,MAAA;AAAA,iBAMW,cAAA,CACpB,GAAA,EAAK,gBAAA,EACL,KAAA,UACA,IAAA,EAAM,MAAA,oBACL,OAAA;AAAA,iBAOmB,eAAA,CACpB,GAAA,EAAK,gBAAA,EACL,KAAA,WACC,OAAA;AAAA,KAMS,SAAA,GAAY,KAAA,QAAa,cAAA;AAAA,iBAEf,kBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,IAAA;EACE,cAAA;EACA,QAAA;EACA,SAAA;EACA,QAAA;EACA,MAAA;AAAA,IAED,OAAA;AAAA,iBAOmB,qBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,cAAA,WACC,OAAA,CAAQ,SAAA;AAAA,iBAOW,qBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,QAAA,WACC,OAAA,CAAQ,SAAA;AAAA,iBAOW,qBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,QAAA,UACA,MAAA,UACA,SAAA,WACC,OAAA;AAAA,iBAQmB,4BAAA,CACpB,GAAA,EAAK,gBAAA,EACL,QAAA,UACA,YAAA,WACC,OAAA;AAAA,iBAOmB,kBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,QAAA,WACC,OAAA"}
|
package/dist/server/types.js.map
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"types.js","names":[],"sources":["../../src/server/types.ts"],"sourcesContent":["import {\n AnyDataModel,\n DataModelFromSchemaDefinition,\n DocumentByName,\n FunctionReference,\n GenericActionCtx,\n GenericDataModel,\n GenericMutationCtx,\n GenericQueryCtx,\n RegisteredAction,\n RegisteredMutation,\n RegisteredQuery,\n TableNamesInDataModel,\n} from \"convex/server\";\nimport type { Infer } from \"convex/values\";\nimport { GenericId, Value } from \"convex/values\";\n\nimport {\n vApiKeyDoc,\n vAuthVerifierDoc,\n vDeviceCodeDoc,\n vPasskeyDoc,\n vTotpFactorDoc,\n vUserDoc,\n} from \"../component/model\";\nimport schema from \"../component/schema\";\nimport type { CredentialsConfig } from \"../providers/credentials\";\n\n// ============================================================================\n// Utility types\n// ============================================================================\n\n/**\n * A value that is either `T` or a `PromiseLike<T>`.\n *\n * @typeParam T - The underlying value type.\n */\nexport type Awaitable<T> = T | PromiseLike<T>;\n\n/**\n * A single role definition within the authorization config.\n *\n * Each role has an optional human-readable label and a list of grant strings\n * that members with this role receive.\n *\n * @see {@link AuthAuthorizationConfig}\n */\nexport type AuthRoleDefinition = {\n /** Optional stable identifier (defaults to the record key). */\n id?: string;\n /** Human-readable label for admin UIs. */\n label?: string;\n /** Permission grant strings conferred by this role. */\n grants: string[];\n};\n\n/**\n * Authorization configuration mapping role IDs to {@link AuthRoleDefinition}s.\n *\n * Passed as `authorization.roles` in {@link ConvexAuthConfig}.\n *\n * @see {@link AuthRoleDefinition}\n * @see {@link ConvexAuthConfig}\n */\nexport type AuthAuthorizationConfig = {\n roles: Record<string, AuthRoleDefinition>;\n};\n\n/**\n * Extracts the union of role ID strings from an authorization config.\n *\n * When `TAuthorization` is defined, this resolves to the literal key union\n * of the `roles` record. Otherwise falls back to `string`.\n *\n * @typeParam TAuthorization - The authorization config type, or `undefined`.\n *\n * @see {@link AuthGrant}\n */\nexport type AuthRoleId<\n TAuthorization extends AuthAuthorizationConfig | undefined,\n> = TAuthorization extends { roles: infer TRoles extends Record<string, any> }\n ? keyof TRoles & string\n : string;\n\n/**\n * Extracts the union of grant strings from all roles in an authorization config.\n *\n * When `TAuthorization` is defined, this resolves to the literal union\n * of all `grants` array elements across every role. Otherwise falls back to `string`.\n *\n * @typeParam TAuthorization - The authorization config type, or `undefined`.\n *\n * @see {@link AuthRoleId}\n */\nexport type AuthGrant<\n TAuthorization extends AuthAuthorizationConfig | undefined,\n> = TAuthorization extends {\n roles: infer TRoles extends Record<string, { grants: readonly any[] }>;\n}\n ? TRoles[keyof TRoles][\"grants\"][number] & string\n : string;\n\n/**\n * The config for the Convex Auth library, passed to `createAuth`.\n */\nexport type ConvexAuthConfig = {\n /**\n * A list of authentication provider configs.\n *\n * You can import existing configs from\n * `@robelest/convex-auth/providers/<provider-name>`\n */\n providers: AuthProviderConfig[];\n /**\n * Auth component reference from `components.auth`.\n *\n * Core auth storage operations are executed through\n * the component API boundary.\n */\n component: AuthComponentApi;\n /**\n * Session configuration.\n */\n session?: {\n /**\n * How long can a user session last without the user reauthenticating.\n *\n * Defaults to 30 days.\n *\n * @defaultValue 2_592_000_000\n */\n totalDurationMs?: number;\n /**\n * How long can a user session last without the user being active.\n *\n * Defaults to 30 days.\n *\n * @defaultValue 2_592_000_000\n */\n inactiveDurationMs?: number;\n };\n /**\n * JWT configuration.\n */\n jwt?: {\n /**\n * How long is the JWT valid for after it is signed initially.\n *\n * Defaults to 1 hour.\n *\n * @defaultValue 3_600_000\n */\n durationMs?: number;\n };\n /**\n * Sign-in configuration.\n */\n signIn?: {\n /**\n * How many times can the user fail to provide the correct credentials\n * (password, OTP) per hour.\n *\n * Defaults to 10 times per hour (that is 10 failed attempts, and then\n * allow another one every 6 minutes).\n *\n * @defaultValue 10\n */\n maxFailedAttemptsPerHour?: number;\n };\n /**\n * Lifecycle callbacks for customizing sign-in behavior.\n *\n * Use `redirect` to control post-OAuth redirect URLs, and\n * `createOrUpdateUser` or `afterUserCreatedOrUpdated` to\n * customize account linking and user document creation.\n */\n callbacks?: {\n /**\n * Control which URLs are allowed as a destination after OAuth sign-in\n * and for magic links:\n *\n * ```ts\n * import { createAuth } from \"@robelest/convex-auth/component\";\n * import { components } from \"./_generated/api\";\n *\n * const auth = createAuth(components.auth, {\n * providers: [google],\n * callbacks: {\n * async redirect({ redirectTo }) {\n * // Check that redirectTo is valid\n * // and return the relative or absolute URL\n * // to redirect to.\n * },\n * },\n * });\n * ```\n *\n * Convex Auth performs redirect only during OAuth sign-in. By default,\n * it redirects back to the URL specified via the `SITE_URL` environment\n * variable. Similarly magic links link to `SITE_URL`. Additional frontend\n * origins can be listed in `SECONDARY_URL` for flows like passkeys.\n *\n * You can customize that behavior by providing a `redirectTo` param\n * to the `signIn` function:\n *\n * ```ts\n * signIn(\"google\", { redirectTo: \"/dashboard\" })\n * ```\n *\n * You can even redirect to a different site.\n *\n * This callback, if specified, is then called with the provided\n * `redirectTo` param. Otherwise, only query params, relative paths\n * and URLs starting with `SITE_URL` are allowed.\n */\n redirect?: (params: {\n /**\n * The param value passed to the `signIn` function.\n */\n redirectTo: string;\n }) => Promise<string>;\n /**\n * Completely control account linking via this callback.\n *\n * This callback is called during the sign-in process,\n * before account creation and token generation.\n * If specified, this callback is responsible for creating\n * or updating the user document.\n *\n * For \"credentials\" providers, the callback is only called\n * when `createAccount` is called.\n */\n createOrUpdateUser?: (\n ctx: GenericMutationCtx<AnyDataModel>,\n args: {\n /**\n * If this is a sign-in to an existing account,\n * this is the existing user ID linked to that account.\n */\n existingUserId: GenericId<\"User\"> | null;\n /**\n * The provider type or \"verification\" if this callback is called\n * after an email or phone token verification.\n */\n type: \"oauth\" | \"credentials\" | \"email\" | \"phone\" | \"verification\";\n /**\n * The provider used for the sign-in, or the provider\n * tied to the account which is having the email or phone verified.\n */\n provider: AuthProviderMaterializedConfig;\n /**\n * - The profile returned by the OAuth provider's `profile` method.\n * - The profile passed to `createAccount` from a ConvexCredentials\n * config.\n * - The email address to which an email will be sent.\n * - The phone number to which a text will be sent.\n */\n profile: Record<string, unknown> & {\n email?: string;\n phone?: string;\n emailVerified?: boolean;\n phoneVerified?: boolean;\n };\n /**\n * The `shouldLink` argument passed to `createAccount`.\n */\n shouldLink?: boolean;\n },\n ) => Promise<GenericId<\"User\">>;\n /**\n * Perform additional writes after a user is created.\n *\n * This callback is called during the sign-in process,\n * after the user is created or updated,\n * before account creation and token generation.\n *\n * **This callback is only called if `createOrUpdateUser`\n * is not specified.** If `createOrUpdateUser` is specified,\n * you can perform any additional writes in that callback.\n *\n * For \"credentials\" providers, the callback is only called\n * when `createAccount` is called.\n */\n afterUserCreatedOrUpdated?: (\n ctx: GenericMutationCtx<AnyDataModel>,\n args: {\n /**\n * The ID of the user that is being signed in.\n */\n userId: GenericId<\"User\">;\n /**\n * If this is a sign-in to an existing account,\n * this is the existing user ID linked to that account.\n */\n existingUserId: GenericId<\"User\"> | null;\n /**\n * The provider type or \"verification\" if this callback is called\n * after an email or phone token verification.\n */\n type: \"oauth\" | \"credentials\" | \"email\" | \"phone\" | \"verification\";\n /**\n * The provider used for the sign-in, or the provider\n * tied to the account which is having the email or phone verified.\n */\n provider: AuthProviderMaterializedConfig;\n /**\n * - The profile returned by the OAuth provider's `profile` method.\n * - The profile passed to `createAccount` from a ConvexCredentials\n * config.\n * - The email address to which an email will be sent.\n * - The phone number to which a text will be sent.\n */\n profile: Record<string, unknown> & {\n email?: string;\n phone?: string;\n emailVerified?: boolean;\n phoneVerified?: boolean;\n };\n /**\n * The `shouldLink` argument passed to `createAccount`.\n */\n shouldLink?: boolean;\n },\n ) => Promise<void>;\n };\n /**\n * Application-defined role and grant model used by membership access checks.\n */\n authorization?: {\n roles: Record<\n string,\n {\n label?: string;\n grants: string[];\n }\n >;\n };\n};\n\n/**\n * Union of all supported auth provider config types.\n *\n * Includes Arctic-based OAuth providers (via the `OAuth()` factory),\n * plus library-native providers: credentials, email, phone, passkey\n * (WebAuthn), and TOTP (2FA). Each can be passed as a config object\n * or a factory function.\n */\nexport type AuthProviderConfig =\n | import(\"../providers/oauth\").OAuthProviderInstance\n | import(\"../providers/password\").Password\n | import(\"../providers/passkey\").Passkey\n | import(\"../providers/totp\").Totp\n | import(\"../providers/anonymous\").Anonymous\n | import(\"../providers/device\").Device\n | import(\"../providers/sso\").SSO\n | import(\"../providers/email\").Email\n | import(\"../providers/phone\").Phone\n | OAuthMaterializedConfig\n | ConvexCredentialsConfig\n | ((...args: any) => ConvexCredentialsConfig)\n | EmailConfig\n | ((...args: any) => EmailConfig)\n | PhoneConfig\n | ((...args: any) => PhoneConfig)\n | PasskeyProviderConfig\n | ((...args: any) => PasskeyProviderConfig)\n | TotpProviderConfig\n | ((...args: any) => TotpProviderConfig)\n | DeviceProviderConfig\n | ((...args: any) => DeviceProviderConfig)\n | SSOProviderConfig;\n\n/**\n * Minimal config stored for the SSO provider at runtime.\n * No options — enterprise configuration is entirely per-tenant runtime state.\n */\nexport interface SSOProviderConfig {\n id: string;\n type: \"sso\";\n}\n\n/**\n * Account linking strategy for enterprise SSO sign-in.\n *\n * - `\"verifiedEmail\"` — link accounts when the IdP-provided email matches a verified email on an existing user.\n * - `\"none\"` — never auto-link; always create a new account.\n */\nexport type EnterpriseAccountLinkingPolicy = \"verifiedEmail\" | \"none\";\n\n/**\n * Policy for reusing existing users during SCIM provisioning.\n *\n * - `\"externalId\"` — match by the SCIM `externalId` to reuse a previously provisioned user.\n * - `\"none\"` — always create a new user for each SCIM provision request.\n */\nexport type EnterpriseScimReuseUserPolicy = \"externalId\" | \"none\";\n\n/**\n * Just-in-time provisioning mode for enterprise SSO.\n *\n * - `\"off\"` — no JIT provisioning; users must be pre-provisioned.\n * - `\"createUser\"` — create a user record on first SSO sign-in.\n * - `\"createUserAndMembership\"` — create a user and add them to the enterprise group on first SSO sign-in.\n */\nexport type EnterpriseJitProvisioningMode =\n | \"off\"\n | \"createUser\"\n | \"createUserAndMembership\";\n\n/**\n * Deprovisioning strategy when a SCIM user is deleted.\n *\n * - `\"soft\"` — mark the user as inactive but preserve the record.\n * - `\"hard\"` — permanently delete the user and associated data.\n */\nexport type EnterpriseDeprovisionMode = \"soft\" | \"hard\";\n\n/**\n * Effective enterprise policy document stored for an SSO/SCIM tenant.\n *\n * Controls account linking, JIT provisioning, SCIM reuse behavior,\n * deprovisioning, and any app-defined extension metadata.\n *\n * @see {@link EnterprisePolicyPatch}\n */\nexport interface EnterprisePolicy {\n version: 1;\n identity: {\n accountLinking: {\n oidc: EnterpriseAccountLinkingPolicy;\n saml: EnterpriseAccountLinkingPolicy;\n };\n };\n provisioning: {\n scimReuse: {\n user: EnterpriseScimReuseUserPolicy;\n };\n jit: {\n mode: EnterpriseJitProvisioningMode;\n defaultRoleIds: string[];\n };\n deprovision: {\n mode: EnterpriseDeprovisionMode;\n };\n };\n extend?: Record<string, unknown>;\n}\n\n/**\n * Partial update payload for {@link EnterprisePolicy}.\n *\n * Use this when patching only selected enterprise policy sections without\n * replacing the entire stored policy document.\n */\nexport interface EnterprisePolicyPatch {\n identity?: {\n accountLinking?: {\n oidc?: EnterpriseAccountLinkingPolicy;\n saml?: EnterpriseAccountLinkingPolicy;\n };\n };\n provisioning?: {\n scimReuse?: {\n user?: EnterpriseScimReuseUserPolicy;\n };\n jit?: {\n mode?: EnterpriseJitProvisioningMode;\n defaultRoleIds?: string[];\n };\n deprovision?: {\n mode?: EnterpriseDeprovisionMode;\n };\n };\n extend?: Record<string, unknown>;\n}\n\n/**\n * Email provider config for magic link / OTP sign-in.\n *\n * @typeParam DataModel - The Convex data model for typed action contexts.\n */\nexport interface EmailConfig<\n DataModel extends GenericDataModel = GenericDataModel,\n> {\n /** Provider identifier (e.g. `\"email\"`, `\"resend\"`). */\n id: string;\n /** Discriminant for provider type routing. */\n type: \"email\";\n /** Display name for this provider. */\n name?: string;\n /** Sender address (e.g. `\"My App <noreply@example.com>\"`). */\n from?: string;\n /**\n * Token expiration in seconds. Defaults to 86 400 (24 hours).\n *\n * @defaultValue 86400\n */\n maxAge?: number;\n /**\n * Send the verification token to the user.\n *\n * Accepts an optional Convex action context as the second argument,\n * enabling use with Convex components like `@convex-dev/resend`.\n */\n sendVerificationRequest: (\n params: {\n identifier: string;\n url: string;\n expires: Date;\n provider: EmailConfig;\n token: string;\n request: Request;\n },\n ctx?: GenericActionCtx<AnyDataModel>,\n ) => Awaitable<void>;\n /**\n * Override to generate a custom verification token.\n * Tokens shorter than 24 characters are treated as OTPs and\n * require the original email to be re-submitted for verification.\n */\n generateVerificationToken?: () => Awaitable<string>;\n /**\n * Normalize the email address before storage / lookup.\n * Defaults to lowercasing and trimming whitespace.\n */\n normalizeIdentifier?: (identifier: string) => string;\n /**\n * Before the token is verified, check other\n * provided parameters.\n *\n * Used to make sure that OTPs are accompanied\n * with the correct email address.\n */\n authorize?: (\n /**\n * The values passed to the `signIn` function.\n */\n params: Record<string, Value | undefined>,\n account: GenericDoc<DataModel, \"Account\">,\n ) => Promise<void>;\n /** Raw user options before merging with defaults. */\n options: EmailUserConfig<DataModel>;\n}\n\n/**\n * User-facing configuration shape accepted by the email provider.\n *\n * Equivalent to `Partial<EmailConfig>` without internal runtime-only fields.\n *\n * @typeParam DataModel - The Convex data model.\n */\nexport type EmailUserConfig<\n DataModel extends GenericDataModel = GenericDataModel,\n> = Omit<Partial<EmailConfig<DataModel>>, \"options\" | \"type\">;\n\n/**\n * Same as email provider config, but verifies\n * phone number instead of the email address.\n *\n * @typeParam DataModel - The Convex data model for typed action contexts.\n */\nexport interface PhoneConfig<\n DataModel extends GenericDataModel = GenericDataModel,\n> {\n id: string;\n type: \"phone\";\n /**\n * Token expiration in seconds.\n */\n maxAge: number;\n /**\n * Send the phone number verification request.\n */\n sendVerificationRequest: (\n params: {\n identifier: string;\n url: string;\n expires: Date;\n provider: PhoneConfig;\n token: string;\n },\n ctx: GenericActionCtxWithAuthConfig<DataModel>,\n ) => Promise<void>;\n /**\n * Defaults to `process.env.AUTH_<PROVIDER_ID>_KEY`.\n */\n apiKey?: string;\n /**\n * Override this to generate a custom token.\n * Note that the tokens are assumed to be cryptographically secure.\n * Any tokens shorter than 24 characters are assumed to not\n * be secure enough on their own, and require providing\n * the original `phone` used in the initial `signIn` call.\n * @returns\n */\n generateVerificationToken?: () => Promise<string>;\n /**\n * Normalize the phone number.\n * @param identifier Passed as `phone` in params of `signIn`.\n * @returns The phone number used in `sendVerificationRequest`.\n */\n normalizeIdentifier?: (identifier: string) => string;\n /**\n * Before the token is verified, check other\n * provided parameters.\n *\n * Used to make sure tha OTPs are accompanied\n * with the correct phone number.\n */\n authorize?: (\n /**\n * The values passed to the `signIn` function.\n */\n params: Record<string, Value | undefined>,\n account: GenericDoc<DataModel, \"Account\">,\n ) => Promise<void>;\n options: PhoneUserConfig<DataModel>;\n}\n\n/**\n * User-facing configuration shape accepted by the phone provider.\n *\n * Equivalent to `Partial<PhoneConfig>` without internal runtime-only fields.\n *\n * @typeParam DataModel - The Convex data model.\n */\nexport type PhoneUserConfig<\n DataModel extends GenericDataModel = GenericDataModel,\n> = Omit<Partial<PhoneConfig<DataModel>>, \"options\" | \"type\">;\n\n/**\n * Credentials provider config used by Convex Auth.\n */\nexport type ConvexCredentialsConfig = CredentialsConfig<any> & {\n type: \"credentials\";\n id: string;\n};\n\n/**\n * Configuration for the passkey (WebAuthn) provider.\n */\nexport interface PasskeyProviderConfig {\n id: string;\n type: \"passkey\";\n options: {\n /** Relying Party display name. Defaults to SITE_URL hostname. */\n rpName?: string;\n /** Relying Party ID (hostname). Defaults to SITE_URL hostname. */\n rpId?: string;\n /** Allowed origins for credential verification. Defaults to SITE_URL plus SECONDARY_URL. */\n origin?: string | string[];\n /**\n * Attestation conveyance preference. Defaults to \"none\".\n *\n * @defaultValue \"none\"\n */\n attestation?: \"none\" | \"direct\";\n /**\n * User verification requirement. Defaults to \"required\".\n *\n * @defaultValue \"required\"\n */\n userVerification?: \"required\" | \"preferred\" | \"discouraged\";\n /**\n * Resident key (discoverable credential) preference. Defaults to \"preferred\".\n *\n * @defaultValue \"preferred\"\n */\n residentKey?: \"required\" | \"preferred\" | \"discouraged\";\n /** Restrict to platform or cross-platform authenticators. */\n authenticatorAttachment?: \"platform\" | \"cross-platform\";\n /**\n * Supported COSE algorithms. Defaults to [-7 (ES256), -257 (RS256)].\n *\n * @defaultValue [-7, -257]\n */\n algorithms?: number[];\n /**\n * Challenge expiration in ms. Defaults to 300_000 (5 minutes).\n *\n * @defaultValue 300_000\n */\n challengeExpirationMs?: number;\n };\n}\n\n/**\n * Configuration for the TOTP two-factor authentication provider.\n */\nexport interface TotpProviderConfig {\n id: string;\n type: \"totp\";\n options: {\n /** Issuer name shown in authenticator apps (e.g. \"My App\"). */\n issuer: string;\n /**\n * Number of digits in each code (default: 6).\n *\n * @defaultValue 6\n */\n digits: number;\n /**\n * Time period in seconds for code rotation (default: 30).\n *\n * @defaultValue 30\n */\n period: number;\n };\n}\n\n// ============================================================================\n// OAuth types (Arctic-based)\n// ============================================================================\n\n/**\n * Normalized user profile returned by an OAuth provider.\n *\n * `id` is the provider-specific account identifier (e.g. GitHub user ID).\n */\nexport interface OAuthProfile {\n id: string;\n name?: string;\n email?: string;\n image?: string;\n /** Additional claims from the ID token or userinfo endpoint. */\n [key: string]: unknown;\n}\n\n/**\n * Internal config shape for an OAuth provider after normalization.\n *\n * This is what the OAuth flow code receives — it maps to the user-facing\n * `OAuthConfig` from `@robelest/convex-auth/providers`.\n *\n * @internal\n */\nexport interface OAuthProviderConfig {\n /** OAuth scopes to request. */\n scopes?: string[];\n /** User-provided profile extraction callback. */\n profile?: (tokens: import(\"arctic\").OAuth2Tokens) => Promise<OAuthProfile>;\n}\n\n/** Credentials identifying a provider account (e.g. email + hashed password). */\nexport type AuthAccountCredentials = {\n /** Provider-specific account identifier (e.g. email address). */\n id: string;\n /** Optional secret (e.g. hashed password). */\n secret?: string;\n};\n\n/** Arguments for `auth.account.create()`. */\nexport type AuthCreateAccountArgs = {\n provider: string;\n account: AuthAccountCredentials;\n profile: Record<string, unknown> & {\n email?: string;\n phone?: string;\n emailVerified?: boolean;\n phoneVerified?: boolean;\n };\n shouldLinkViaEmail?: boolean;\n shouldLinkViaPhone?: boolean;\n};\n\n/** Arguments for `auth.account.get()`. */\nexport type AuthRetrieveAccountArgs = {\n provider: string;\n account: AuthAccountCredentials;\n};\n\n/** Arguments for `auth.account.update()`. */\nexport type AuthUpdateAccountArgs = {\n provider: string;\n account: {\n id: string;\n secret: string;\n };\n};\n\n/** Arguments for `auth.session.invalidate()`. */\nexport type AuthInvalidateSessionsArgs = {\n userId: GenericId<\"User\">;\n except?: GenericId<\"Session\">[];\n};\n\n/** Arguments for `auth.provider.signIn()`. */\nexport type AuthProviderSignInArgs = {\n accountId?: GenericId<\"Account\">;\n params?: Record<string, Value | undefined>;\n};\n\n/** Return type of `auth.provider.signIn()` — user and session IDs, or `null` on failure. */\nexport type AuthProviderSignInResult = {\n userId: GenericId<\"User\">;\n sessionId: GenericId<\"Session\">;\n} | null;\n\n/** Arguments for `auth.member.inspect()`. */\nexport type AuthMemberInspectArgs = {\n userId: GenericId<\"User\">;\n groupId: GenericId<\"Group\">;\n ancestry?: boolean;\n maxDepth?: number;\n};\n\n/** Result of `auth.member.inspect()` — membership state and derived access details. */\nexport type AuthMemberInspectResult = {\n membership: GenericDoc<GenericDataModel, \"GroupMember\"> | null;\n roleIds: string[];\n grants: string[];\n};\n\n/** Arguments for `auth.member.require()`. */\nexport type AuthMemberRequireArgs = AuthMemberInspectArgs & {\n roleIds?: string[];\n grants?: string[];\n};\n\n/**\n * Server-side auth helper methods injected into `ctx.auth` within provider actions.\n *\n * Provides programmatic access to account management, session lifecycle,\n * membership resolution, and provider sign-in from within Convex actions\n * that use {@link GenericActionCtxWithAuthConfig}.\n *\n * @see {@link GenericActionCtxWithAuthConfig}\n *\n * @example\n * ```ts\n * // Inside a credentials provider's authorize callback:\n * const { account, user } = await ctx.auth.account.get(ctx, {\n * provider: \"password\",\n * account: { id: email },\n * });\n * ```\n */\nexport type AuthServerHelpers = {\n /** Account management: create, retrieve, and update provider-linked accounts. */\n account: {\n create: (\n ctx: GenericActionCtx<any>,\n args: AuthCreateAccountArgs,\n ) => Promise<{\n account: GenericDoc<GenericDataModel, \"Account\">;\n user: GenericDoc<GenericDataModel, \"User\">;\n }>;\n get: (\n ctx: GenericActionCtx<any>,\n args: AuthRetrieveAccountArgs,\n ) => Promise<{\n account: GenericDoc<GenericDataModel, \"Account\">;\n user: GenericDoc<GenericDataModel, \"User\">;\n }>;\n update: (\n ctx: GenericActionCtx<any>,\n args: AuthUpdateAccountArgs,\n ) => Promise<{ accountId: GenericId<\"Account\"> }>;\n };\n session: {\n current: (ctx: {\n auth: GenericActionCtx<GenericDataModel>[\"auth\"];\n }) => Promise<GenericId<\"Session\"> | null>;\n invalidate: (\n ctx: GenericActionCtx<any>,\n args: AuthInvalidateSessionsArgs,\n ) => Promise<{\n userId: GenericId<\"User\">;\n except: GenericId<\"Session\">[];\n }>;\n };\n member: {\n inspect: (\n ctx: GenericActionCtx<any>,\n args: AuthMemberInspectArgs,\n ) => Promise<AuthMemberInspectResult>;\n require: (\n ctx: GenericActionCtx<any>,\n args: AuthMemberRequireArgs,\n ) => Promise<AuthMemberInspectResult>;\n };\n provider: {\n signIn: (\n ctx: GenericActionCtx<any>,\n provider: AuthProviderConfig,\n args: AuthProviderSignInArgs,\n ) => Promise<AuthProviderSignInResult>;\n };\n};\n\n/**\n * Your `ActionCtx` enriched with `ctx.auth.config` field with\n * the config passed to `createAuth`.\n *\n * @typeParam DataModel - The Convex data model.\n */\nexport type GenericActionCtxWithAuthConfig<DataModel extends GenericDataModel> =\n GenericActionCtx<DataModel> & {\n auth: GenericActionCtx<DataModel>[\"auth\"] & {\n config: ConvexAuthMaterializedConfig;\n } & AuthServerHelpers;\n };\n\n/**\n * The config for the Convex Auth library, passed to `createAuth`,\n * with defaults and initialized providers.\n *\n * See {@link ConvexAuthConfig}\n */\nexport type ConvexAuthMaterializedConfig = {\n providers: AuthProviderMaterializedConfig[];\n} & Pick<\n ConvexAuthConfig,\n \"component\" | \"session\" | \"jwt\" | \"signIn\" | \"callbacks\" | \"authorization\"\n>;\n\n/**\n * Maps SAML assertion attribute names to user profile fields.\n *\n * Use this to tell the SSO flow which SAML attributes correspond to\n * the user's subject identifier, email, and display name fields.\n */\nexport interface SAMLAttributeMapping {\n /** SAML attribute for the unique subject identifier (NameID). */\n subject?: string;\n /** SAML attribute for the user's email address. */\n email?: string;\n /** SAML attribute for the user's full display name. */\n name?: string;\n /** SAML attribute for the user's first / given name. */\n firstName?: string;\n /** SAML attribute for the user's last / family name. */\n lastName?: string;\n}\n\n/**\n * Materialized OAuth provider config (Arctic-based).\n *\n * Carries the Arctic provider instance along with scopes and profile config.\n * Produced by materializing an `OAuthProviderInstance` during `configDefaults`.\n */\nexport interface OAuthMaterializedConfig {\n /**\n * Provider identifier (e.g. `\"google\"`, `\"github\"`).\n * @readonly\n */\n readonly id: string;\n /**\n * Discriminant for provider type routing.\n * @readonly\n */\n readonly type: \"oauth\";\n /**\n * The Arctic provider instance.\n * @readonly\n */\n readonly provider: any;\n /**\n * OAuth scopes to request.\n * @readonly\n */\n readonly scopes: string[];\n /**\n * User-provided profile extraction callback.\n * @readonly\n */\n readonly profile?: (\n tokens: import(\"arctic\").OAuth2Tokens,\n ) => Promise<OAuthProfile>;\n /**\n * Account-linking policy for OAuth identities. Defaults to verified email linking.\n * @readonly\n */\n readonly accountLinking?: \"verifiedEmail\" | \"none\";\n}\n\n/**\n * Device authorization provider config (RFC 8628).\n *\n * Enables input-constrained devices (CLIs, TVs, IoT) to authenticate\n * by displaying a short code that the user enters on a secondary device.\n */\nexport interface DeviceProviderConfig {\n id: string;\n type: \"device\";\n /** User code character set. Default: `\"BCDFGHJKLMNPQRSTVWXZ\"` (base-20, no vowels). */\n charset: string;\n /** User code length. Default: 8. */\n userCodeLength: number;\n /** Device code + user code lifetime in seconds. Default: 900 (15 min). */\n expiresIn: number;\n /** Minimum polling interval in seconds. Default: 5. */\n interval: number;\n /**\n * Base URL for the verification page (e.g. `\"http://localhost:3000/device\"`).\n *\n * This is where users go to enter the device code. If not provided,\n * falls back to `SITE_URL + \"/device\"`.\n */\n verificationUri?: string;\n}\n\n/**\n * Materialized auth provider config — the fully resolved form stored at runtime.\n */\nexport type AuthProviderMaterializedConfig =\n | OAuthMaterializedConfig\n | EmailConfig\n | PhoneConfig\n | ConvexCredentialsConfig\n | PasskeyProviderConfig\n | TotpProviderConfig\n | DeviceProviderConfig\n | SSOProviderConfig;\n\n/**\n * Resolves to `true` when the providers list includes `SSO`, otherwise `false`.\n *\n * Used to make `auth.sso` conditionally present on the `createAuth`\n * return type — it only appears when `new SSO()` is in the providers array.\n */\nexport type HasSSO<P extends AuthProviderConfig[]> =\n import(\"../providers/sso\").SSO extends P[number] ? true : false;\n\nexport type HasPasskeyProvider<P extends AuthProviderConfig[]> =\n import(\"../providers/passkey\").Passkey extends P[number] ? true : false;\n\nexport type HasTotpProvider<P extends AuthProviderConfig[]> =\n import(\"../providers/totp\").Totp extends P[number] ? true : false;\n\nexport type HasDeviceProvider<P extends AuthProviderConfig[]> =\n import(\"../providers/device\").Device extends P[number] ? true : false;\n\n// ============================================================================\n// API Key types\n// ============================================================================\n\n/**\n * A single scope entry stored per API key.\n * Uses a resource:action pattern for structured permissions.\n *\n * ```ts\n * { resource: \"users\", actions: [\"read\", \"list\"] }\n * ```\n */\nexport interface KeyScope {\n resource: string;\n actions: string[];\n}\n\n/**\n * Result of scope verification. Provides a `.can()` helper\n * for checking if a key has a specific permission.\n *\n * ```ts\n * const result = await auth.key.verify(ctx, rawKey);\n * if (result.scopes.can(\"users\", \"read\")) {\n * // authorized\n * }\n * ```\n */\nexport interface ScopeChecker {\n /** Check if the key has permission for a given resource:action. */\n can(resource: string, action: string): boolean;\n /** The raw scope entries from the key. */\n scopes: KeyScope[];\n}\n\n/**\n * An API key record as returned by `auth.key.list()` and `auth.key.get()`.\n * Never includes the raw key material — only the display prefix.\n */\nexport interface KeyRecord {\n /** Document ID. */\n _id: string;\n /** Owner user ID. */\n userId: string;\n /** Display prefix (e.g. `\"sk_abc1\"`). Safe to show in UIs. */\n prefix: string;\n /** Human-readable name (e.g. \"CI Pipeline\"). */\n name: string;\n /** Resource:action permissions granted to this key. */\n scopes: KeyScope[];\n /** Per-key rate limit, if configured. */\n rateLimit?: { maxRequests: number; windowMs: number };\n /** Expiration timestamp (ms since epoch), or `undefined` for no expiry. */\n expiresAt?: number;\n /** Timestamp of last successful verification, or `undefined` if never used. */\n lastUsedAt?: number;\n /** Creation timestamp (ms since epoch). */\n createdAt: number;\n /** `true` when the key has been revoked (soft-deleted). */\n revoked: boolean;\n /** Arbitrary app-specific metadata attached to the key. */\n metadata?: Record<string, unknown>;\n}\n\n// ============================================================================\n// Unified List API types\n// ============================================================================\n\n/**\n * Options for paginated list queries. Every entity list method uses this\n * same shape with entity-specific `TWhere` and `TOrderBy` type parameters.\n *\n * @typeParam TWhere - The type of the optional filter object.\n * @typeParam TOrderBy - The union of sortable field names.\n *\n * ```ts\n * const result = await auth.group.list(ctx, {\n * where: { type: \"team\" },\n * limit: 20,\n * orderBy: \"name\",\n * order: \"asc\",\n * });\n * ```\n */\nexport type ListOptions<\n TWhere extends Record<string, unknown>,\n TOrderBy extends string,\n> = {\n /** Serializable filter — only known fields for the entity. */\n where?: TWhere;\n /** Maximum number of items to return. Defaults to 50, max 100. */\n limit?: number;\n /** Opaque cursor from a previous `ListResult.nextCursor`. */\n cursor?: string | null;\n /** Field to sort by. Defaults to `\"_creationTime\"`. */\n orderBy?: TOrderBy;\n /** Sort direction. Defaults to `\"desc\"`. */\n order?: \"asc\" | \"desc\";\n};\n\n/**\n * Paginated list result returned by every entity list method.\n *\n * @typeParam T - The type of items in the result array.\n */\nexport type ListResult<T> = {\n /** The page of items. */\n items: T[];\n /** Opaque cursor for the next page, or `null` when exhausted. */\n nextCursor: string | null;\n};\n\n// -- Per-entity Where / OrderBy types --\n\n/**\n * A single key/value tag for group classification.\n *\n * Tags are normalized at write time: both `key` and `value` are\n * trimmed and lowercased. Filtering is strict exact-match only.\n */\nexport type GroupTag = {\n key: string;\n value: string;\n};\n\n/** Filter fields for `auth.group.list()`. All optional. */\nexport type GroupWhere = {\n slug?: string;\n type?: string;\n parentGroupId?: string;\n name?: string;\n /** When `true`, return only root groups (no parent). When `false`, only non-root. */\n isRoot?: boolean;\n /**\n * Return only groups that have **all** of the specified tags.\n * Each tag is matched exactly on normalized `(key, value)`.\n */\n tagsAll?: GroupTag[];\n /**\n * Return only groups that have **at least one** of the specified tags.\n * Each tag is matched exactly on normalized `(key, value)`.\n */\n tagsAny?: GroupTag[];\n};\n\n/** Sortable fields for `auth.group.list()`. */\nexport type GroupOrderBy = \"_creationTime\" | \"name\" | \"slug\" | \"type\";\n\n/** Filter fields for `auth.member.list()`. All optional. */\nexport type MemberWhere = {\n groupId?: string;\n userId?: string;\n roleId?: string;\n status?: string;\n};\n\n/** Sortable fields for `auth.member.list()`. */\nexport type MemberOrderBy = \"_creationTime\" | \"status\";\n\n/** Filter fields for `auth.invite.list()`. All optional. */\nexport type InviteWhere = {\n tokenHash?: string;\n groupId?: string;\n status?: \"pending\" | \"accepted\" | \"revoked\" | \"expired\";\n email?: string;\n invitedByUserId?: string;\n roleId?: string;\n acceptedByUserId?: string;\n};\n\n/** Sortable fields for `auth.invite.list()`. */\nexport type InviteOrderBy =\n | \"_creationTime\"\n | \"status\"\n | \"email\"\n | \"expiresTime\"\n | \"acceptedTime\";\n\n/** Filter fields for `auth.key.list()`. All optional. */\nexport type KeyWhere = {\n userId?: string;\n revoked?: boolean;\n name?: string;\n prefix?: string;\n};\n\n/** Sortable fields for `auth.key.list()`. */\nexport type KeyOrderBy =\n | \"_creationTime\"\n | \"name\"\n | \"lastUsedAt\"\n | \"expiresAt\"\n | \"revoked\";\n\n/** Filter fields for `auth.user.list()`. All optional. */\nexport type UserWhere = {\n email?: string;\n phone?: string;\n isAnonymous?: boolean;\n name?: string;\n};\n\n/** Sortable fields for `auth.user.list()`. */\nexport type UserOrderBy = \"_creationTime\" | \"name\" | \"email\" | \"phone\";\n\n// ============================================================================\n// HTTP Bearer Auth types\n// ============================================================================\n\n/**\n * Context injected into `auth.http.action()` and `auth.http.route()` handlers.\n *\n * The handler's `ctx` receives these fields after Bearer token verification:\n *\n * ```ts\n * auth.http.route(http, {\n * path: \"/api/data\",\n * method: \"GET\",\n * handler: async (ctx, request) => {\n * ctx.key.userId; // owner of the API key\n * ctx.key.keyId; // the key document ID\n * ctx.key.scopes.can(\"data\", \"read\"); // scope check\n * },\n * });\n * ```\n */\nexport interface HttpKeyContext {\n key: {\n /** The user ID that owns the verified API key. */\n userId: string;\n /** The API key document ID. */\n keyId: string;\n /** Scope checker for the verified key's permissions. */\n scopes: ScopeChecker;\n };\n}\n\n/**\n * CORS configuration for Bearer-authenticated HTTP endpoints.\n */\nexport interface CorsConfig {\n /** Allowed origin(s). Defaults to `\"*\"`. */\n origin?: string;\n /** Allowed HTTP methods. Defaults to `\"GET,POST,PUT,PATCH,DELETE,OPTIONS\"`. */\n methods?: string;\n /** Allowed request headers. Defaults to `\"Content-Type,Authorization\"`. */\n headers?: string;\n}\n\n/**\n * Component function references required by core auth runtime.\n *\n * @internal Consumers should not depend on this shape — it may change\n * between minor versions. Pass `components.auth` directly to `createAuth`.\n */\nexport type AuthComponentApi = {\n public: {\n userGetById: FunctionReference<\"query\", \"internal\">;\n userList: FunctionReference<\"query\", \"internal\">;\n userFindByVerifiedEmail: FunctionReference<\"query\", \"internal\">;\n userFindByVerifiedPhone: FunctionReference<\"query\", \"internal\">;\n userInsert: FunctionReference<\"mutation\", \"internal\">;\n userUpsert: FunctionReference<\"mutation\", \"internal\">;\n userPatch: FunctionReference<\"mutation\", \"internal\">;\n userDelete: FunctionReference<\"mutation\", \"internal\">;\n accountGet: FunctionReference<\"query\", \"internal\">;\n accountGetById: FunctionReference<\"query\", \"internal\">;\n accountInsert: FunctionReference<\"mutation\", \"internal\">;\n accountListByUser: FunctionReference<\"query\", \"internal\">;\n accountPatch: FunctionReference<\"mutation\", \"internal\">;\n accountDelete: FunctionReference<\"mutation\", \"internal\">;\n sessionCreate: FunctionReference<\"mutation\", \"internal\">;\n sessionGetById: FunctionReference<\"query\", \"internal\">;\n sessionDelete: FunctionReference<\"mutation\", \"internal\">;\n sessionListByUser: FunctionReference<\"query\", \"internal\">;\n verifierCreate: FunctionReference<\"mutation\", \"internal\">;\n verifierGetById: FunctionReference<\"query\", \"internal\">;\n verifierGetBySignature: FunctionReference<\"query\", \"internal\">;\n verifierPatch: FunctionReference<\"mutation\", \"internal\">;\n verifierDelete: FunctionReference<\"mutation\", \"internal\">;\n verificationCodeGetByAccountId: FunctionReference<\"query\", \"internal\">;\n verificationCodeGetByCode: FunctionReference<\"query\", \"internal\">;\n verificationCodeCreate: FunctionReference<\"mutation\", \"internal\">;\n verificationCodeDelete: FunctionReference<\"mutation\", \"internal\">;\n refreshTokenCreate: FunctionReference<\"mutation\", \"internal\">;\n refreshTokenGetById: FunctionReference<\"query\", \"internal\">;\n refreshTokenPatch: FunctionReference<\"mutation\", \"internal\">;\n refreshTokenGetChildren: FunctionReference<\"query\", \"internal\">;\n refreshTokenListBySession: FunctionReference<\"query\", \"internal\">;\n refreshTokenDeleteAll: FunctionReference<\"mutation\", \"internal\">;\n refreshTokenGetActive: FunctionReference<\"query\", \"internal\">;\n rateLimitGet: FunctionReference<\"query\", \"internal\">;\n rateLimitCreate: FunctionReference<\"mutation\", \"internal\">;\n rateLimitPatch: FunctionReference<\"mutation\", \"internal\">;\n rateLimitDelete: FunctionReference<\"mutation\", \"internal\">;\n groupCreate: FunctionReference<\"mutation\", \"internal\">;\n groupGet: FunctionReference<\"query\", \"internal\">;\n groupList: FunctionReference<\"query\", \"internal\">;\n groupUpdate: FunctionReference<\"mutation\", \"internal\">;\n groupDelete: FunctionReference<\"mutation\", \"internal\">;\n memberAdd: FunctionReference<\"mutation\", \"internal\">;\n memberGet: FunctionReference<\"query\", \"internal\">;\n memberList: FunctionReference<\"query\", \"internal\">;\n memberGetByGroupAndUser: FunctionReference<\"query\", \"internal\">;\n memberRemove: FunctionReference<\"mutation\", \"internal\">;\n memberUpdate: FunctionReference<\"mutation\", \"internal\">;\n inviteCreate: FunctionReference<\"mutation\", \"internal\">;\n inviteGet: FunctionReference<\"query\", \"internal\">;\n inviteGetByTokenHash: FunctionReference<\"query\", \"internal\">;\n inviteList: FunctionReference<\"query\", \"internal\">;\n inviteAccept: FunctionReference<\"mutation\", \"internal\">;\n inviteAcceptByToken: FunctionReference<\"mutation\", \"internal\">;\n inviteRevoke: FunctionReference<\"mutation\", \"internal\">;\n keyInsert: FunctionReference<\"mutation\", \"internal\">;\n keyGetByHashedKey: FunctionReference<\"query\", \"internal\">;\n keyGetById: FunctionReference<\"query\", \"internal\">;\n keyList: FunctionReference<\"query\", \"internal\">;\n keyPatch: FunctionReference<\"mutation\", \"internal\">;\n keyDelete: FunctionReference<\"mutation\", \"internal\">;\n passkeyInsert: FunctionReference<\"mutation\", \"internal\">;\n passkeyGetByCredentialId: FunctionReference<\"query\", \"internal\">;\n passkeyListByUserId: FunctionReference<\"query\", \"internal\">;\n passkeyUpdateCounter: FunctionReference<\"mutation\", \"internal\">;\n passkeyUpdateMeta: FunctionReference<\"mutation\", \"internal\">;\n passkeyDelete: FunctionReference<\"mutation\", \"internal\">;\n totpInsert: FunctionReference<\"mutation\", \"internal\", any, any>;\n totpGetVerifiedByUserId: FunctionReference<\"query\", \"internal\", any, any>;\n totpListByUserId: FunctionReference<\"query\", \"internal\", any, any>;\n totpGetById: FunctionReference<\"query\", \"internal\", any, any>;\n totpMarkVerified: FunctionReference<\"mutation\", \"internal\", any, any>;\n totpUpdateLastUsed: FunctionReference<\"mutation\", \"internal\", any, any>;\n totpDelete: FunctionReference<\"mutation\", \"internal\", any, any>;\n deviceInsert: FunctionReference<\"mutation\", \"internal\", any, any>;\n deviceGetByCodeHash: FunctionReference<\"query\", \"internal\", any, any>;\n deviceGetByUserCode: FunctionReference<\"query\", \"internal\", any, any>;\n deviceAuthorize: FunctionReference<\"mutation\", \"internal\", any, any>;\n deviceUpdateLastPolled: FunctionReference<\"mutation\", \"internal\", any, any>;\n deviceDelete: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseCreate: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseGet: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseGetByGroup: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseGetByDomain: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseList: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseUpdate: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseDelete: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseDomainAdd: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseDomainList: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseDomainDelete: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseDomainVerificationGet: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseDomainVerificationUpsert: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseDomainVerificationDelete: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseDomainVerify: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseSecretUpsert: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseSecretGet: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseSecretDelete: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseScimConfigUpsert: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimConfigGetByEnterprise: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimConfigGetByTokenHash: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimIdentityGet: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseScimIdentityGetByUser: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimIdentityGetByEnterpriseAndUser: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimIdentityGetByMappedGroup: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimIdentityListByEnterprise: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimIdentityUpsert: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimIdentityDelete: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseAuditEventCreate: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseAuditEventList: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseWebhookEndpointCreate: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseWebhookEndpointList: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseWebhookEndpointGet: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseWebhookEndpointUpdate: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseWebhookDeliveryEnqueue: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseWebhookDeliveryListReady: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseWebhookDeliveryPatch: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n };\n};\n\n// ============================================================================\n// Convex document types (merged from convex_types)\n// ============================================================================\n\n/**\n * Convex document from a given table.\n */\nexport type GenericDoc<\n DataModel extends GenericDataModel,\n TableName extends TableNamesInDataModel<DataModel>,\n> = DocumentByName<DataModel, TableName> & {\n _id: GenericId<TableName>;\n _creationTime: number;\n};\n\n/**\n * @internal\n */\nexport type FunctionReferenceFromExport<Export> =\n Export extends RegisteredQuery<infer Visibility, infer Args, infer Output>\n ? FunctionReference<\"query\", Visibility, Args, ConvertReturnType<Output>>\n : Export extends RegisteredMutation<\n infer Visibility,\n infer Args,\n infer Output\n >\n ? FunctionReference<\n \"mutation\",\n Visibility,\n Args,\n ConvertReturnType<Output>\n >\n : Export extends RegisteredAction<\n infer Visibility,\n infer Args,\n infer Output\n >\n ? FunctionReference<\n \"action\",\n Visibility,\n Args,\n ConvertReturnType<Output>\n >\n : never;\n\ntype ConvertReturnType<T> = UndefinedToNull<Awaited<T>>;\n\ntype UndefinedToNull<T> = T extends void ? null : T;\n\n// Internal server data-model types (merged from former internalTypes.ts)\n\n/** Data model derived from the component schema. */\nexport type AuthDataModel = DataModelFromSchemaDefinition<typeof schema>;\n\n/** Action context typed to the auth component's data model. */\nexport type ActionCtx = GenericActionCtx<AuthDataModel>;\n\n/** Mutation context typed to the auth component's data model. */\nexport type MutationCtx = GenericMutationCtx<AuthDataModel>;\n\n/** Query context typed to the auth component's data model. */\nexport type QueryCtx = GenericQueryCtx<AuthDataModel>;\n\n/** A document from any table in the auth component schema. */\nexport type Doc<T extends TableNamesInDataModel<AuthDataModel>> = GenericDoc<\n AuthDataModel,\n T\n>;\n\n/** A pair of JWT access token and refresh token. */\nexport type Tokens = { token: string; refreshToken: string };\n\n/** Session information returned after authentication. */\nexport type SessionInfo = {\n userId: GenericId<\"User\">;\n sessionId: GenericId<\"Session\">;\n tokens: Tokens | null;\n};\n\n/** Session information with guaranteed non-null tokens. */\nexport type SessionInfoWithTokens = {\n userId: GenericId<\"User\">;\n sessionId: GenericId<\"Session\">;\n tokens: Tokens;\n};\n\n// ---------------------------------------------------------------------------\n// Cross-component document shapes\n// ---------------------------------------------------------------------------\n// These mirror the component schema tables. They exist so that server-side\n// code can work with typed results from cross-component queries/mutations\n// instead of casting to `any` at every field access.\n\nexport type TotpDoc = Infer<typeof vTotpFactorDoc>;\n\nexport type PasskeyDoc = Infer<typeof vPasskeyDoc>;\n\nexport type VerifierDoc = Infer<typeof vAuthVerifierDoc>;\n\n/**\n * Cross-component user document shape inferred from the component validator.\n *\n * Used by internal typed wrappers (`queryUserById`, etc.) so server code stays\n * aligned with the component runtime contract. Not intended for consumer use —\n * consumers should use `UserDoc` (exported from\n * `@robelest/convex-auth/component`).\n *\n * @internal\n */\nexport type CrossComponentUserDoc = Infer<typeof vUserDoc>;\n\nexport type KeyDoc = Infer<typeof vApiKeyDoc>;\n\n// ---------------------------------------------------------------------------\n// Cross-component wrapper context\n// ---------------------------------------------------------------------------\n// Structural type accepted by all wrappers below. Works for both action and\n// mutation contexts — the only capabilities we need are runQuery / runMutation\n// and access to the component API via `auth.config.component`.\n\n/** @internal */\nexport type ComponentCallCtx = {\n runQuery: GenericActionCtx<AuthDataModel>[\"runQuery\"];\n runMutation: GenericActionCtx<AuthDataModel>[\"runMutation\"];\n auth: { config: { component: AuthComponentApi } };\n};\n\n// ---------------------------------------------------------------------------\n// Typed wrappers for cross-component calls\n// ---------------------------------------------------------------------------\n// Each wrapper encapsulates the single `as any` cast at the component\n// boundary so that callers get full type safety on both args and return\n// values.\n\n// -- User queries --\n\nexport async function queryUserById(\n ctx: ComponentCallCtx,\n userId: string,\n): Promise<CrossComponentUserDoc | null> {\n return (await ctx.runQuery(ctx.auth.config.component.public.userGetById, {\n userId,\n })) as CrossComponentUserDoc | null;\n}\n\nexport async function queryUserByVerifiedEmail(\n ctx: ComponentCallCtx,\n email: string,\n): Promise<CrossComponentUserDoc | null> {\n return (await ctx.runQuery(\n ctx.auth.config.component.public.userFindByVerifiedEmail,\n { email },\n )) as CrossComponentUserDoc | null;\n}\n\n// -- Verifier queries / mutations --\n\nexport async function queryVerifierById(\n ctx: ComponentCallCtx,\n verifierId: string,\n): Promise<VerifierDoc | null> {\n return (await ctx.runQuery(ctx.auth.config.component.public.verifierGetById, {\n verifierId,\n })) as VerifierDoc | null;\n}\n\nexport async function mutateVerifierDelete(\n ctx: ComponentCallCtx,\n verifierId: string,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.verifierDelete, {\n verifierId,\n });\n}\n\n// -- TOTP queries / mutations --\n\nexport async function queryTotpById(\n ctx: ComponentCallCtx,\n totpId: string,\n): Promise<TotpDoc | null> {\n return (await ctx.runQuery(ctx.auth.config.component.public.totpGetById, {\n totpId,\n })) as TotpDoc | null;\n}\n\nexport async function queryTotpVerifiedByUserId(\n ctx: ComponentCallCtx,\n userId: string,\n): Promise<TotpDoc | null> {\n return (await ctx.runQuery(\n ctx.auth.config.component.public.totpGetVerifiedByUserId,\n { userId },\n )) as TotpDoc | null;\n}\n\nexport async function mutateTotpInsert(\n ctx: ComponentCallCtx,\n args: {\n userId: string;\n secret: ArrayBuffer;\n digits: number;\n period: number;\n verified: boolean;\n name?: string;\n createdAt: number;\n },\n): Promise<string> {\n return (await ctx.runMutation(\n ctx.auth.config.component.public.totpInsert,\n args,\n )) as string;\n}\n\nexport async function mutateTotpMarkVerified(\n ctx: ComponentCallCtx,\n totpId: string,\n lastUsedAt: number,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.totpMarkVerified, {\n totpId,\n lastUsedAt,\n });\n}\n\nexport async function mutateTotpUpdateLastUsed(\n ctx: ComponentCallCtx,\n totpId: string,\n lastUsedAt: number,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.totpUpdateLastUsed, {\n totpId,\n lastUsedAt,\n });\n}\n\n// -- Passkey queries / mutations --\n\nexport async function queryPasskeysByUserId(\n ctx: ComponentCallCtx,\n userId: string,\n): Promise<PasskeyDoc[]> {\n return (await ctx.runQuery(\n ctx.auth.config.component.public.passkeyListByUserId,\n { userId },\n )) as PasskeyDoc[];\n}\n\nexport async function queryPasskeyByCredentialId(\n ctx: ComponentCallCtx,\n credentialId: string,\n): Promise<PasskeyDoc | null> {\n return (await ctx.runQuery(\n ctx.auth.config.component.public.passkeyGetByCredentialId,\n { credentialId },\n )) as PasskeyDoc | null;\n}\n\nexport async function mutatePasskeyInsert(\n ctx: ComponentCallCtx,\n args: {\n userId: string;\n credentialId: string;\n publicKey: ArrayBuffer | ArrayBufferLike;\n algorithm: number;\n counter: number;\n transports?: string[];\n deviceType: string;\n backedUp: boolean;\n name?: string;\n createdAt: number;\n },\n): Promise<string> {\n return (await ctx.runMutation(\n ctx.auth.config.component.public.passkeyInsert,\n args,\n )) as string;\n}\n\nexport async function mutatePasskeyUpdateCounter(\n ctx: ComponentCallCtx,\n passkeyId: string,\n counter: number,\n lastUsedAt: number,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.passkeyUpdateCounter, {\n passkeyId,\n counter,\n lastUsedAt,\n });\n}\n\n// -- Key queries / mutations --\n\nexport async function mutateKeyInsert(\n ctx: ComponentCallCtx,\n args: {\n userId: string;\n prefix: string;\n hashedKey: string;\n name: string;\n scopes: Array<{ resource: string; actions: string[] }>;\n rateLimit?: { maxRequests: number; windowMs: number };\n expiresAt?: number;\n },\n): Promise<string> {\n return (await ctx.runMutation(\n ctx.auth.config.component.public.keyInsert,\n args,\n )) as string;\n}\n\nexport async function queryKeysByUserId(\n ctx: ComponentCallCtx,\n userId: string,\n): Promise<KeyDoc[]> {\n const items: KeyDoc[] = [];\n let cursor: string | null = null;\n do {\n const page = (await ctx.runQuery(ctx.auth.config.component.public.keyList, {\n where: { userId },\n limit: 100,\n cursor,\n })) as {\n items: KeyDoc[];\n nextCursor: string | null;\n };\n items.push(...page.items);\n cursor = page.nextCursor;\n } while (cursor !== null);\n return items;\n}\n\nexport async function queryKeyById(\n ctx: ComponentCallCtx,\n keyId: string,\n): Promise<KeyDoc | null> {\n return (await ctx.runQuery(ctx.auth.config.component.public.keyGetById, {\n keyId,\n })) as KeyDoc | null;\n}\n\nexport async function mutateKeyPatch(\n ctx: ComponentCallCtx,\n keyId: string,\n data: Record<string, unknown>,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.keyPatch, {\n keyId,\n data,\n });\n}\n\nexport async function mutateKeyDelete(\n ctx: ComponentCallCtx,\n keyId: string,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.keyDelete, { keyId });\n}\n\n// -- Device authorization queries / mutations --\n\nexport type DeviceDoc = Infer<typeof vDeviceCodeDoc>;\n\nexport async function mutateDeviceInsert(\n ctx: ComponentCallCtx,\n args: {\n deviceCodeHash: string;\n userCode: string;\n expiresAt: number;\n interval: number;\n status: \"pending\" | \"authorized\" | \"denied\";\n },\n): Promise<string> {\n return (await ctx.runMutation(\n ctx.auth.config.component.public.deviceInsert,\n args,\n )) as string;\n}\n\nexport async function queryDeviceByCodeHash(\n ctx: ComponentCallCtx,\n deviceCodeHash: string,\n): Promise<DeviceDoc | null> {\n return (await ctx.runQuery(\n ctx.auth.config.component.public.deviceGetByCodeHash,\n { deviceCodeHash },\n )) as DeviceDoc | null;\n}\n\nexport async function queryDeviceByUserCode(\n ctx: ComponentCallCtx,\n userCode: string,\n): Promise<DeviceDoc | null> {\n return (await ctx.runQuery(\n ctx.auth.config.component.public.deviceGetByUserCode,\n { userCode },\n )) as DeviceDoc | null;\n}\n\nexport async function mutateDeviceAuthorize(\n ctx: ComponentCallCtx,\n deviceId: string,\n userId: string,\n sessionId: string,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.deviceAuthorize, {\n deviceId,\n userId,\n sessionId,\n });\n}\n\nexport async function mutateDeviceUpdateLastPolled(\n ctx: ComponentCallCtx,\n deviceId: string,\n lastPolledAt: number,\n): Promise<void> {\n await ctx.runMutation(\n ctx.auth.config.component.public.deviceUpdateLastPolled,\n { deviceId, lastPolledAt },\n );\n}\n\nexport async function mutateDeviceDelete(\n ctx: ComponentCallCtx,\n deviceId: string,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.deviceDelete, {\n deviceId,\n });\n}\n"],"mappings":";AA8mDA,eAAsB,cACpB,KACA,QACuC;AACvC,QAAQ,MAAM,IAAI,SAAS,IAAI,KAAK,OAAO,UAAU,OAAO,aAAa,EACvE,QACD,CAAC;;AAGJ,eAAsB,yBACpB,KACA,OACuC;AACvC,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,yBACjC,EAAE,OAAO,CACV;;AAKH,eAAsB,kBACpB,KACA,YAC6B;AAC7B,QAAQ,MAAM,IAAI,SAAS,IAAI,KAAK,OAAO,UAAU,OAAO,iBAAiB,EAC3E,YACD,CAAC;;AAGJ,eAAsB,qBACpB,KACA,YACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,gBAAgB,EACrE,YACD,CAAC;;AAKJ,eAAsB,cACpB,KACA,QACyB;AACzB,QAAQ,MAAM,IAAI,SAAS,IAAI,KAAK,OAAO,UAAU,OAAO,aAAa,EACvE,QACD,CAAC;;AAGJ,eAAsB,0BACpB,KACA,QACyB;AACzB,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,yBACjC,EAAE,QAAQ,CACX;;AAGH,eAAsB,iBACpB,KACA,MASiB;AACjB,QAAQ,MAAM,IAAI,YAChB,IAAI,KAAK,OAAO,UAAU,OAAO,YACjC,KACD;;AAGH,eAAsB,uBACpB,KACA,QACA,YACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,kBAAkB;EACvE;EACA;EACD,CAAC;;AAGJ,eAAsB,yBACpB,KACA,QACA,YACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,oBAAoB;EACzE;EACA;EACD,CAAC;;AAKJ,eAAsB,sBACpB,KACA,QACuB;AACvB,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,qBACjC,EAAE,QAAQ,CACX;;AAGH,eAAsB,2BACpB,KACA,cAC4B;AAC5B,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,0BACjC,EAAE,cAAc,CACjB;;AAGH,eAAsB,oBACpB,KACA,MAYiB;AACjB,QAAQ,MAAM,IAAI,YAChB,IAAI,KAAK,OAAO,UAAU,OAAO,eACjC,KACD;;AAGH,eAAsB,2BACpB,KACA,WACA,SACA,YACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,sBAAsB;EAC3E;EACA;EACA;EACD,CAAC;;AAKJ,eAAsB,gBACpB,KACA,MASiB;AACjB,QAAQ,MAAM,IAAI,YAChB,IAAI,KAAK,OAAO,UAAU,OAAO,WACjC,KACD;;AAGH,eAAsB,kBACpB,KACA,QACmB;CACnB,MAAM,QAAkB,EAAE;CAC1B,IAAI,SAAwB;AAC5B,IAAG;EACD,MAAM,OAAQ,MAAM,IAAI,SAAS,IAAI,KAAK,OAAO,UAAU,OAAO,SAAS;GACzE,OAAO,EAAE,QAAQ;GACjB,OAAO;GACP;GACD,CAAC;AAIF,QAAM,KAAK,GAAG,KAAK,MAAM;AACzB,WAAS,KAAK;UACP,WAAW;AACpB,QAAO;;AAGT,eAAsB,aACpB,KACA,OACwB;AACxB,QAAQ,MAAM,IAAI,SAAS,IAAI,KAAK,OAAO,UAAU,OAAO,YAAY,EACtE,OACD,CAAC;;AAGJ,eAAsB,eACpB,KACA,OACA,MACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,UAAU;EAC/D;EACA;EACD,CAAC;;AAGJ,eAAsB,gBACpB,KACA,OACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,WAAW,EAAE,OAAO,CAAC;;AAO9E,eAAsB,mBACpB,KACA,MAOiB;AACjB,QAAQ,MAAM,IAAI,YAChB,IAAI,KAAK,OAAO,UAAU,OAAO,cACjC,KACD;;AAGH,eAAsB,sBACpB,KACA,gBAC2B;AAC3B,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,qBACjC,EAAE,gBAAgB,CACnB;;AAGH,eAAsB,sBACpB,KACA,UAC2B;AAC3B,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,qBACjC,EAAE,UAAU,CACb;;AAGH,eAAsB,sBACpB,KACA,UACA,QACA,WACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,iBAAiB;EACtE;EACA;EACA;EACD,CAAC;;AAGJ,eAAsB,6BACpB,KACA,UACA,cACe;AACf,OAAM,IAAI,YACR,IAAI,KAAK,OAAO,UAAU,OAAO,wBACjC;EAAE;EAAU;EAAc,CAC3B;;AAGH,eAAsB,mBACpB,KACA,UACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,cAAc,EACnE,UACD,CAAC"}
|
package/dist/server/users.d.ts
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
export { };
|
package/dist/server/users.js.map
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"users.js","names":[],"sources":["../../src/server/users.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { Cv } from \"@robelest/fx/convex\";\nimport { GenericId } from \"convex/values\";\n\nimport { authDb } from \"./db\";\nimport { Doc, MutationCtx } from \"./types\";\nimport { AuthProviderMaterializedConfig, ConvexAuthConfig } from \"./types\";\nimport { LOG_LEVELS, logWithLevel } from \"./utils\";\n\ntype CreateOrUpdateUserArgs = {\n type: \"oauth\" | \"credentials\" | \"email\" | \"phone\" | \"verification\";\n provider: AuthProviderMaterializedConfig;\n profile: Record<string, unknown> & {\n email?: string;\n phone?: string;\n emailVerified?: boolean;\n phoneVerified?: boolean;\n };\n accountExtend?: Record<string, unknown>;\n shouldLinkViaEmail?: boolean;\n shouldLinkViaPhone?: boolean;\n};\n\nfunction mergeExtend(\n existing: unknown,\n incoming: Record<string, unknown> | undefined,\n) {\n if (!incoming) {\n return undefined;\n }\n const existingRecord =\n typeof existing === \"object\" &&\n existing !== null &&\n !Array.isArray(existing)\n ? (existing as Record<string, unknown>)\n : undefined;\n return existingRecord ? { ...existingRecord, ...incoming } : incoming;\n}\n\n/** @internal */\nexport async function upsertUserAndAccount(\n ctx: MutationCtx,\n sessionId: GenericId<\"Session\"> | null,\n account:\n | { existingAccount: Doc<\"Account\"> }\n | {\n providerAccountId: string;\n secret?: string;\n },\n args: CreateOrUpdateUserArgs,\n config: ConvexAuthConfig,\n opts?: { existingUserId?: GenericId<\"User\"> },\n): Promise<{\n userId: GenericId<\"User\">;\n accountId: GenericId<\"Account\">;\n}> {\n const userId = await defaultCreateOrUpdateUser(\n ctx,\n sessionId,\n \"existingAccount\" in account ? account.existingAccount : null,\n args,\n config,\n opts?.existingUserId ?? null,\n );\n const accountId = await createOrUpdateAccount(\n ctx,\n userId,\n account,\n args,\n config,\n );\n return { userId, accountId };\n}\n\nasync function defaultCreateOrUpdateUser(\n ctx: MutationCtx,\n existingSessionId: GenericId<\"Session\"> | null,\n existingAccount: Doc<\"Account\"> | null,\n args: CreateOrUpdateUserArgs,\n config: ConvexAuthConfig,\n existingUserIdOverride: GenericId<\"User\"> | null,\n) {\n logWithLevel(LOG_LEVELS.DEBUG, \"defaultCreateOrUpdateUser args:\", {\n existingAccountId: existingAccount?._id,\n existingSessionId,\n args,\n });\n const existingUserId = existingAccount?.userId ?? null;\n const db = authDb(ctx, config);\n if (config.callbacks?.createOrUpdateUser !== undefined) {\n logWithLevel(LOG_LEVELS.DEBUG, \"Using custom createOrUpdateUser callback\");\n return await config.callbacks.createOrUpdateUser(ctx, {\n existingUserId,\n ...args,\n });\n }\n\n const {\n provider,\n profile: {\n id: _profileId,\n emailVerified: profileEmailVerified,\n phoneVerified: profilePhoneVerified,\n ...profile\n },\n } = args;\n const emailVerified =\n profileEmailVerified ??\n (provider.type === \"oauth\" && provider.accountLinking !== \"none\");\n const phoneVerified = profilePhoneVerified ?? false;\n const shouldLinkViaEmail =\n args.shouldLinkViaEmail || emailVerified || provider.type === \"email\";\n const shouldLinkViaPhone =\n args.shouldLinkViaPhone || phoneVerified || provider.type === \"phone\";\n\n let userId = existingUserId ?? existingUserIdOverride;\n if (existingUserId === null) {\n const existingUserWithVerifiedEmailId =\n typeof profile.email === \"string\" && shouldLinkViaEmail\n ? ((await uniqueUserWithVerifiedEmail(ctx, profile.email, config))\n ?._id ?? null)\n : null;\n\n const existingUserWithVerifiedPhoneId =\n typeof profile.phone === \"string\" && shouldLinkViaPhone\n ? ((await uniqueUserWithVerifiedPhone(ctx, profile.phone, config))\n ?._id ?? null)\n : null;\n const linkDispatch = {\n tag:\n existingUserWithVerifiedEmailId !== null &&\n existingUserWithVerifiedPhoneId !== null\n ? \"both\"\n : existingUserWithVerifiedEmailId !== null\n ? \"email\"\n : existingUserWithVerifiedPhoneId !== null\n ? \"phone\"\n : \"none\",\n existingUserWithVerifiedEmailId,\n existingUserWithVerifiedPhoneId,\n } as const;\n\n const linkHandlers = {\n both: () =>\n Fx.sync(() => {\n logWithLevel(\n LOG_LEVELS.DEBUG,\n `Found existing email and phone verified users, so not linking: email: ${linkDispatch.existingUserWithVerifiedEmailId}, phone: ${linkDispatch.existingUserWithVerifiedPhoneId}`,\n );\n return null;\n }),\n email: () =>\n Fx.sync(() => {\n logWithLevel(\n LOG_LEVELS.DEBUG,\n `Found existing email verified user, linking: ${linkDispatch.existingUserWithVerifiedEmailId}`,\n );\n return linkDispatch.existingUserWithVerifiedEmailId;\n }),\n phone: () =>\n Fx.sync(() => {\n logWithLevel(\n LOG_LEVELS.DEBUG,\n `Found existing phone verified user, linking: ${linkDispatch.existingUserWithVerifiedPhoneId}`,\n );\n return linkDispatch.existingUserWithVerifiedPhoneId;\n }),\n none: () =>\n Fx.sync(() => {\n logWithLevel(\n LOG_LEVELS.DEBUG,\n \"No existing verified users found, creating new user\",\n );\n return null;\n }),\n } as const;\n\n userId = await Fx.run(linkHandlers[linkDispatch.tag]());\n }\n const userData = {\n ...(emailVerified ? { emailVerificationTime: Date.now() } : null),\n ...(phoneVerified ? { phoneVerificationTime: Date.now() } : null),\n ...profile,\n };\n const existingOrLinkedUserId = userId;\n if (userId !== null) {\n await Fx.run(\n Fx.from({\n ok: () => db.users.patch(userId!, userData),\n err: (error) =>\n Cv.error({\n code: \"USER_UPDATE_FAILED\",\n message:\n `Could not update user document with ID \\`${userId}\\`, ` +\n `either the user has been deleted but their account has not, ` +\n `or the profile data doesn't match the \\`users\\` table schema: ` +\n `${(error as Error).message}`,\n }),\n }).pipe(Fx.recover((e) => Fx.fatal(e))),\n );\n } else {\n userId = (await db.users.insert(userData)) as GenericId<\"User\">;\n }\n const afterUserCreatedOrUpdated = config.callbacks?.afterUserCreatedOrUpdated;\n if (afterUserCreatedOrUpdated !== undefined) {\n logWithLevel(\n LOG_LEVELS.DEBUG,\n \"Calling custom afterUserCreatedOrUpdated callback\",\n );\n await afterUserCreatedOrUpdated(ctx, {\n userId,\n existingUserId: existingOrLinkedUserId,\n ...args,\n });\n } else {\n logWithLevel(\n LOG_LEVELS.DEBUG,\n \"No custom afterUserCreatedOrUpdated callback, skipping\",\n );\n }\n return userId;\n}\n\nasync function uniqueUserWithVerifiedEmail(\n ctx: MutationCtx,\n email: string,\n config: ConvexAuthConfig,\n) {\n const db = authDb(ctx, config);\n return (await db.users.findByVerifiedEmail(email)) as Doc<\"User\"> | null;\n}\n\nasync function uniqueUserWithVerifiedPhone(\n ctx: MutationCtx,\n phone: string,\n config: ConvexAuthConfig,\n) {\n const db = authDb(ctx, config);\n return (await db.users.findByVerifiedPhone(phone)) as Doc<\"User\"> | null;\n}\n\nasync function createOrUpdateAccount(\n ctx: MutationCtx,\n userId: GenericId<\"User\">,\n account:\n | { existingAccount: Doc<\"Account\"> }\n | {\n providerAccountId: string;\n secret?: string;\n },\n args: CreateOrUpdateUserArgs,\n config: ConvexAuthConfig,\n) {\n const db = authDb(ctx, config);\n const mergedExtend =\n \"existingAccount\" in account\n ? mergeExtend(account.existingAccount.extend, args.accountExtend)\n : args.accountExtend;\n const accountId =\n \"existingAccount\" in account\n ? account.existingAccount._id\n : ((await db.accounts.create({\n userId,\n provider: args.provider.id,\n providerAccountId: account.providerAccountId,\n secret: account.secret,\n extend: mergedExtend,\n })) as GenericId<\"Account\">);\n // This is never used with the default `createOrUpdateUser` implementation,\n // but it is used for manual linking via custom `createOrUpdateUser`:\n if (\n \"existingAccount\" in account &&\n account.existingAccount.userId !== userId\n ) {\n await db.accounts.patch(accountId, { userId });\n }\n const accountPatchData: Record<string, unknown> = {};\n if (mergedExtend) {\n accountPatchData.extend = mergedExtend;\n }\n if (args.profile.emailVerified) {\n accountPatchData.emailVerified = args.profile.email;\n }\n if (args.profile.phoneVerified) {\n accountPatchData.phoneVerified = args.profile.phone;\n }\n if (Object.keys(accountPatchData).length > 0) {\n await db.accounts.patch(accountId, accountPatchData);\n }\n return accountId;\n}\n"],"mappings":";;;;;;AAuBA,SAAS,YACP,UACA,UACA;AACA,KAAI,CAAC,SACH;CAEF,MAAM,iBACJ,OAAO,aAAa,YACpB,aAAa,QACb,CAAC,MAAM,QAAQ,SAAS,GACnB,WACD;AACN,QAAO,iBAAiB;EAAE,GAAG;EAAgB,GAAG;EAAU,GAAG;;;AAI/D,eAAsB,qBACpB,KACA,WACA,SAMA,MACA,QACA,MAIC;CACD,MAAM,SAAS,MAAM,0BACnB,KACA,WACA,qBAAqB,UAAU,QAAQ,kBAAkB,MACzD,MACA,QACA,MAAM,kBAAkB,KACzB;AAQD,QAAO;EAAE;EAAQ,WAPC,MAAM,sBACtB,KACA,QACA,SACA,MACA,OACD;EAC2B;;AAG9B,eAAe,0BACb,KACA,mBACA,iBACA,MACA,QACA,wBACA;AACA,cAAa,WAAW,OAAO,mCAAmC;EAChE,mBAAmB,iBAAiB;EACpC;EACA;EACD,CAAC;CACF,MAAM,iBAAiB,iBAAiB,UAAU;CAClD,MAAM,KAAK,OAAO,KAAK,OAAO;AAC9B,KAAI,OAAO,WAAW,uBAAuB,QAAW;AACtD,eAAa,WAAW,OAAO,2CAA2C;AAC1E,SAAO,MAAM,OAAO,UAAU,mBAAmB,KAAK;GACpD;GACA,GAAG;GACJ,CAAC;;CAGJ,MAAM,EACJ,UACA,SAAS,EACP,IAAI,YACJ,eAAe,sBACf,eAAe,sBACf,GAAG,cAEH;CACJ,MAAM,gBACJ,yBACC,SAAS,SAAS,WAAW,SAAS,mBAAmB;CAC5D,MAAM,gBAAgB,wBAAwB;CAC9C,MAAM,qBACJ,KAAK,sBAAsB,iBAAiB,SAAS,SAAS;CAChE,MAAM,qBACJ,KAAK,sBAAsB,iBAAiB,SAAS,SAAS;CAEhE,IAAI,SAAS,kBAAkB;AAC/B,KAAI,mBAAmB,MAAM;EAC3B,MAAM,kCACJ,OAAO,QAAQ,UAAU,YAAY,sBAC/B,MAAM,4BAA4B,KAAK,QAAQ,OAAO,OAAO,GAC3D,OAAO,OACX;EAEN,MAAM,kCACJ,OAAO,QAAQ,UAAU,YAAY,sBAC/B,MAAM,4BAA4B,KAAK,QAAQ,OAAO,OAAO,GAC3D,OAAO,OACX;EACN,MAAM,eAAe;GACnB,KACE,oCAAoC,QACpC,oCAAoC,OAChC,SACA,oCAAoC,OAClC,UACA,oCAAoC,OAClC,UACA;GACV;GACA;GACD;AAqCD,WAAS,MAAM,GAAG,IAnCG;GACnB,YACE,GAAG,WAAW;AACZ,iBACE,WAAW,OACX,yEAAyE,aAAa,gCAAgC,WAAW,aAAa,kCAC/I;AACD,WAAO;KACP;GACJ,aACE,GAAG,WAAW;AACZ,iBACE,WAAW,OACX,gDAAgD,aAAa,kCAC9D;AACD,WAAO,aAAa;KACpB;GACJ,aACE,GAAG,WAAW;AACZ,iBACE,WAAW,OACX,gDAAgD,aAAa,kCAC9D;AACD,WAAO,aAAa;KACpB;GACJ,YACE,GAAG,WAAW;AACZ,iBACE,WAAW,OACX,sDACD;AACD,WAAO;KACP;GACL,CAEkC,aAAa,MAAM,CAAC;;CAEzD,MAAM,WAAW;EACf,GAAI,gBAAgB,EAAE,uBAAuB,KAAK,KAAK,EAAE,GAAG;EAC5D,GAAI,gBAAgB,EAAE,uBAAuB,KAAK,KAAK,EAAE,GAAG;EAC5D,GAAG;EACJ;CACD,MAAM,yBAAyB;AAC/B,KAAI,WAAW,KACb,OAAM,GAAG,IACP,GAAG,KAAK;EACN,UAAU,GAAG,MAAM,MAAM,QAAS,SAAS;EAC3C,MAAM,UACJ,GAAG,MAAM;GACP,MAAM;GACN,SACE,4CAA4C,OAAO,gIAG/C,MAAgB;GACvB,CAAC;EACL,CAAC,CAAC,KAAK,GAAG,SAAS,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC,CACxC;KAED,UAAU,MAAM,GAAG,MAAM,OAAO,SAAS;CAE3C,MAAM,4BAA4B,OAAO,WAAW;AACpD,KAAI,8BAA8B,QAAW;AAC3C,eACE,WAAW,OACX,oDACD;AACD,QAAM,0BAA0B,KAAK;GACnC;GACA,gBAAgB;GAChB,GAAG;GACJ,CAAC;OAEF,cACE,WAAW,OACX,yDACD;AAEH,QAAO;;AAGT,eAAe,4BACb,KACA,OACA,QACA;AAEA,QAAQ,MADG,OAAO,KAAK,OAAO,CACb,MAAM,oBAAoB,MAAM;;AAGnD,eAAe,4BACb,KACA,OACA,QACA;AAEA,QAAQ,MADG,OAAO,KAAK,OAAO,CACb,MAAM,oBAAoB,MAAM;;AAGnD,eAAe,sBACb,KACA,QACA,SAMA,MACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,eACJ,qBAAqB,UACjB,YAAY,QAAQ,gBAAgB,QAAQ,KAAK,cAAc,GAC/D,KAAK;CACX,MAAM,YACJ,qBAAqB,UACjB,QAAQ,gBAAgB,MACtB,MAAM,GAAG,SAAS,OAAO;EACzB;EACA,UAAU,KAAK,SAAS;EACxB,mBAAmB,QAAQ;EAC3B,QAAQ,QAAQ;EAChB,QAAQ;EACT,CAAC;AAGR,KACE,qBAAqB,WACrB,QAAQ,gBAAgB,WAAW,OAEnC,OAAM,GAAG,SAAS,MAAM,WAAW,EAAE,QAAQ,CAAC;CAEhD,MAAM,mBAA4C,EAAE;AACpD,KAAI,aACF,kBAAiB,SAAS;AAE5B,KAAI,KAAK,QAAQ,cACf,kBAAiB,gBAAgB,KAAK,QAAQ;AAEhD,KAAI,KAAK,QAAQ,cACf,kBAAiB,gBAAgB,KAAK,QAAQ;AAEhD,KAAI,OAAO,KAAK,iBAAiB,CAAC,SAAS,EACzC,OAAM,GAAG,SAAS,MAAM,WAAW,iBAAiB;AAEtD,QAAO"}
|
package/dist/server/utils.d.ts
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
export { };
|