@robelest/convex-auth 0.0.4-preview.27 → 0.0.4-preview.28

package/dist/server/mutations/account.js

@@ -4,7 +4,6 @@ import { authDb } from "../db.js";
 import { log, maybeRedact } from "../log.js";
 import { AUTH_STORE_REF } from "./store/refs.js";
 import { ConvexError, v } from "convex/values";
-import { Effect, Match } from "effect";
 
 //#region src/server/mutations/account.ts
 const modifyAccountArgs = v.object({
@@ -14,7 +13,7 @@ const modifyAccountArgs = v.object({
 		secret: v.string()
 	})
 });
-function modifyAccountImpl(ctx, args, getProviderOrThrow, config) {
+async function modifyAccountImpl(ctx, args, getProviderOrThrow, config) {
 	const { provider, account } = args;
 	const db = authDb(ctx, config);
 	log(LOG_LEVELS.DEBUG, "modifyAccountImpl args:", {
@@ -24,10 +23,13 @@ function modifyAccountImpl(ctx, args, getProviderOrThrow, config) {
 			secret: maybeRedact(account.secret ?? "")
 		}
 	});
-	return Effect.flatMap(Effect.promise(() => db.accounts.get(provider, account.id)), (existingAccount) => Match.value(existingAccount).pipe(Match.when(null, () => Effect.fail(new ConvexError({
+	const existingAccount = await db.accounts.get(provider, account.id);
+	if (existingAccount === null) throw new ConvexError({
 		code: "ACCOUNT_NOT_FOUND",
 		message: `Cannot modify account with ID ${account.id} because it does not exist`
-	}))), Match.orElse((existingAccount$1) => Effect.flatMap(hash(getProviderOrThrow(provider), account.secret), (hashedSecret) => Effect.promise(() => db.accounts.patch(existingAccount$1._id, { secret: hashedSecret }))))));
+	});
+	const hashedSecret = await hash(getProviderOrThrow(provider), account.secret);
+	await db.accounts.patch(existingAccount._id, { secret: hashedSecret });
 }
 const callModifyAccount = async (ctx, args) => {
 	return ctx.runMutation(AUTH_STORE_REF, { args: {

package/dist/server/mutations/invalidate.js

@@ -4,7 +4,6 @@ import { log } from "../log.js";
 import { AUTH_STORE_REF } from "./store/refs.js";
 import { deleteSession } from "../sessions.js";
 import { v } from "convex/values";
-import { Effect } from "effect";
 
 //#region src/server/mutations/invalidate.ts
 const invalidateSessionsArgs = v.object({
@@ -17,15 +16,13 @@ const callInvalidateSessions = async (ctx, args) => {
 		...args
 	} });
 };
-function invalidateSessionsImpl(ctx, args, config) {
+async function invalidateSessionsImpl(ctx, args, config) {
 	log(LOG_LEVELS.DEBUG, "invalidateSessionsImpl args:", args);
 	const { userId, except } = args;
 	const exceptSet = new Set(except ?? []);
 	const typedUserId = userId;
-	return Effect.gen(function* () {
-		const sessions = yield* Effect.promise(() => authDb(ctx, config).sessions.listByUser(typedUserId));
-		yield* Effect.forEach(sessions, (session) => exceptSet.has(session._id) ? Effect.void : Effect.promise(() => deleteSession(ctx, session, config)), { discard: true });
-	});
+	const sessions = await authDb(ctx, config).sessions.listByUser(typedUserId);
+	await Promise.all(sessions.map((session) => exceptSet.has(session._id) ? Promise.resolve() : deleteSession(ctx, session, config)));
 }
 
 //#endregion

package/dist/server/mutations/oauth.js

@@ -9,7 +9,6 @@ import { GROUP_OIDC_PROVIDER_PREFIX, GROUP_SAML_PROVIDER_PREFIX, isGroupProvider
 import { createSyntheticOAuthMaterializedConfig } from "../sso/oidc.js";
 import { normalizeGroupConnectionPolicy, resolveProvisionedRoleIds } from "../sso/policy.js";
 import { ConvexError, v } from "convex/values";
-import { Effect } from "effect";
 
 //#region src/server/mutations/oauth.ts
 const OAUTH_SIGN_IN_EXPIRATION_MS = 1e3 * 60 * 2;
@@ -44,106 +43,105 @@ function normalizeAccountExtend(provider, providerAccountId, accountExtend) {
 		}
 	};
 }
-function userOAuthImpl(ctx, args, getProviderOrThrow, config) {
+async function userOAuthImpl(ctx, args, getProviderOrThrow, config) {
 	log("DEBUG", "userOAuthImpl args:", args);
 	const { profile, provider, providerAccountId, signature, accountExtend } = args;
 	const typedProfile = profile;
 	const db = authDb(ctx, config);
 	const connectionId = provider.startsWith(GROUP_OIDC_PROVIDER_PREFIX) ? provider.slice(GROUP_OIDC_PROVIDER_PREFIX.length) : provider.startsWith(GROUP_SAML_PROVIDER_PREFIX) ? provider.slice(GROUP_SAML_PROVIDER_PREFIX.length) : null;
 	const connectionProtocol = provider.startsWith(GROUP_OIDC_PROVIDER_PREFIX) ? "oidc" : provider.startsWith(GROUP_SAML_PROVIDER_PREFIX) ? "saml" : null;
-	return Effect.gen(function* () {
-		const existingAccount = yield* Effect.promise(() => db.accounts.get(provider, providerAccountId));
-		const connection = connectionId !== null ? yield* Effect.promise(() => getGroupConnection(ctx, config.component.public, connectionId)) : null;
-		const group = connection !== null ? yield* Effect.promise(() => getGroup(ctx, config.component.public, connection.groupId)) : null;
-		const connectionPolicy = connection ? normalizeGroupConnectionPolicy(group?.policy) : null;
-		const existingScimIdentity = connectionId !== null && existingAccount === null && connectionPolicy?.provisioning.scimReuse.user === "externalId" ? yield* Effect.promise(() => ctx.runQuery(config.component.public.groupConnectionScimIdentityGet, {
-			connectionId,
-			resourceType: "user",
-			externalId: providerAccountId
-		})) : null;
-		const verifier = yield* Effect.tryPromise({
-			try: () => db.verifiers.getBySignature(signature),
-			catch: () => new ConvexError({
-				code: "OAUTH_INVALID_STATE",
-				message: "Invalid OAuth state. Please try signing in again."
-			})
-		}).pipe(Effect.flatMap((verifier$1) => verifier$1 === null ? Effect.fail(new ConvexError({
+	const existingAccount = await db.accounts.get(provider, providerAccountId);
+	const connection = connectionId !== null ? await getGroupConnection(ctx, config.component.public, connectionId) : null;
+	const group = connection !== null ? await getGroup(ctx, config.component.public, connection.groupId) : null;
+	const connectionPolicy = connection ? normalizeGroupConnectionPolicy(group?.policy) : null;
+	const existingScimIdentity = connectionId !== null && existingAccount === null && connectionPolicy?.provisioning.scimReuse.user === "externalId" ? await ctx.runQuery(config.component.public.groupConnectionScimIdentityGet, {
+		connectionId,
+		resourceType: "user",
+		externalId: providerAccountId
+	}) : null;
+	let verifier;
+	try {
+		verifier = await db.verifiers.getBySignature(signature);
+	} catch {
+		throw new ConvexError({
 			code: "OAUTH_INVALID_STATE",
 			message: "Invalid OAuth state. Please try signing in again."
-		})) : Effect.succeed(verifier$1)));
-		const profileResolved = (yield* Effect.promise(async () => config.sso?.hooks?.profileResolved ? await config.sso.hooks.profileResolved({
-			protocol: connectionProtocol ?? "oidc",
-			connectionId: connectionId ?? void 0,
-			profile: typedProfile
-		}) : void 0)) ?? typedProfile;
-		const profileForProvisioning = (yield* Effect.promise(async () => config.sso?.hooks?.beforeProvision ? await config.sso.hooks.beforeProvision({
-			protocol: connectionProtocol ?? "oidc",
-			connectionId: connectionId ?? void 0,
-			profile: profileResolved
-		}) : void 0)) ?? profileResolved;
-		const { accountId } = yield* Effect.promise(() => upsertUserAndAccount(ctx, verifier.sessionId ?? null, existingAccount !== null ? { existingAccount } : { providerAccountId }, {
-			type: "oauth",
-			provider: isGroupProviderId(provider) ? createSyntheticOAuthMaterializedConfig(provider, { accountLinking: connectionProtocol === "oidc" ? connectionPolicy?.identity.accountLinking.oidc : connectionProtocol === "saml" ? connectionPolicy?.identity.accountLinking.saml : void 0 }) : getProviderOrThrow(provider),
-			profile: profileForProvisioning,
-			accountExtend: normalizeAccountExtend(provider, providerAccountId, accountExtend)
-		}, config, connectionPolicy?.provisioning.user ? {
-			existingUserId: existingScimIdentity?.userId,
-			provisioningUser: connectionPolicy.provisioning.user,
-			source: "login"
-		} : existingScimIdentity?.userId ? { existingUserId: existingScimIdentity.userId } : void 0));
-		if (connectionId !== null && connectionPolicy?.provisioning.jit.mode === "createUserAndMembership") {
-			const userId = (yield* Effect.promise(() => db.accounts.getById(accountId)))?.userId;
-			if (userId) {
-				const groupId = connection?.groupId;
-				if (groupId) {
-					const provisionedRoleIds = resolveProvisionedRoleIds({
-						policy: connectionPolicy,
-						groups: Array.isArray(typedProfile.groups) ? typedProfile.groups : void 0,
-						roles: Array.isArray(typedProfile.roles) ? typedProfile.roles : void 0
-					});
-					const existingMembership = yield* Effect.promise(() => ctx.runQuery(config.component.public.memberGetByGroupAndUser, {
-						userId,
-						groupId
-					}));
-					if (existingMembership === null) yield* Effect.promise(() => ctx.runMutation(config.component.public.memberAdd, {
-						groupId,
-						userId,
-						roleIds: provisionedRoleIds,
-						status: "active"
-					}));
-					else if (provisionedRoleIds.length > 0) yield* Effect.promise(() => ctx.runMutation(config.component.public.memberUpdate, {
-						memberId: existingMembership._id,
-						data: { roleIds: provisionedRoleIds }
-					}));
-				}
+		});
+	}
+	if (verifier === null) throw new ConvexError({
+		code: "OAUTH_INVALID_STATE",
+		message: "Invalid OAuth state. Please try signing in again."
+	});
+	const profileResolved = (config.sso?.hooks?.profileResolved ? await config.sso.hooks.profileResolved({
+		protocol: connectionProtocol ?? "oidc",
+		connectionId: connectionId ?? void 0,
+		profile: typedProfile
+	}) : void 0) ?? typedProfile;
+	const profileForProvisioning = (config.sso?.hooks?.beforeProvision ? await config.sso.hooks.beforeProvision({
+		protocol: connectionProtocol ?? "oidc",
+		connectionId: connectionId ?? void 0,
+		profile: profileResolved
+	}) : void 0) ?? profileResolved;
+	const { accountId } = await upsertUserAndAccount(ctx, verifier.sessionId ?? null, existingAccount !== null ? { existingAccount } : { providerAccountId }, {
+		type: "oauth",
+		provider: isGroupProviderId(provider) ? createSyntheticOAuthMaterializedConfig(provider, { accountLinking: connectionProtocol === "oidc" ? connectionPolicy?.identity.accountLinking.oidc : connectionProtocol === "saml" ? connectionPolicy?.identity.accountLinking.saml : void 0 }) : getProviderOrThrow(provider),
+		profile: profileForProvisioning,
+		accountExtend: normalizeAccountExtend(provider, providerAccountId, accountExtend)
+	}, config, connectionPolicy?.provisioning.user ? {
+		existingUserId: existingScimIdentity?.userId,
+		provisioningUser: connectionPolicy.provisioning.user,
+		source: "login"
+	} : existingScimIdentity?.userId ? { existingUserId: existingScimIdentity.userId } : void 0);
+	if (connectionId !== null && connectionPolicy?.provisioning.jit.mode === "createUserAndMembership") {
+		const userId = (await db.accounts.getById(accountId))?.userId;
+		if (userId) {
+			const groupId = connection?.groupId;
+			if (groupId) {
+				const provisionedRoleIds = resolveProvisionedRoleIds({
+					policy: connectionPolicy,
+					groups: Array.isArray(typedProfile.groups) ? typedProfile.groups : void 0,
+					roles: Array.isArray(typedProfile.roles) ? typedProfile.roles : void 0
+				});
+				const existingMembership = await ctx.runQuery(config.component.public.memberGetByGroupAndUser, {
+					userId,
+					groupId
+				});
+				if (existingMembership === null) await ctx.runMutation(config.component.public.memberAdd, {
+					groupId,
+					userId,
+					roleIds: provisionedRoleIds,
+					status: "active"
+				});
+				else if (provisionedRoleIds.length > 0) await ctx.runMutation(config.component.public.memberUpdate, {
+					memberId: existingMembership._id,
+					data: { roleIds: provisionedRoleIds }
+				});
 			}
 		}
-		if (connectionId !== null) {
-			const userId = (yield* Effect.promise(() => db.accounts.getById(accountId)))?.userId;
-			if (userId) yield* Effect.promise(async () => {
-				if (config.sso?.hooks?.afterProvision) await config.sso.hooks.afterProvision({
-					protocol: connectionProtocol ?? "oidc",
-					connectionId,
-					profile: profileForProvisioning,
-					userId
-				});
+	}
+	if (connectionId !== null) {
+		const userId = (await db.accounts.getById(accountId))?.userId;
+		if (userId) {
+			if (config.sso?.hooks?.afterProvision) await config.sso.hooks.afterProvision({
+				protocol: connectionProtocol ?? "oidc",
+				connectionId,
+				profile: profileForProvisioning,
+				userId
 			});
 		}
-		const code = generateRandomString(8, "0123456789");
-		yield* Effect.promise(() => db.verifiers.delete(verifier._id));
-		const existingVerificationCode = yield* Effect.promise(() => db.verificationCodes.getByAccountId(accountId));
-		if (existingVerificationCode !== null) yield* Effect.promise(() => db.verificationCodes.delete(existingVerificationCode._id));
-		yield* Effect.promise(async () => {
-			await db.verificationCodes.create({
-				code: await sha256(code),
-				accountId,
-				provider,
-				expirationTime: Date.now() + OAUTH_SIGN_IN_EXPIRATION_MS,
-				verifier: verifier._id
-			});
-		});
-		return code;
+	}
+	const code = generateRandomString(8, "0123456789");
+	await db.verifiers.delete(verifier._id);
+	const existingVerificationCode = await db.verificationCodes.getByAccountId(accountId);
+	if (existingVerificationCode !== null) await db.verificationCodes.delete(existingVerificationCode._id);
+	await db.verificationCodes.create({
+		code: await sha256(code),
+		accountId,
+		provider,
+		expirationTime: Date.now() + OAUTH_SIGN_IN_EXPIRATION_MS,
+		verifier: verifier._id
 	});
+	return code;
 }
 const callUserOAuth = async (ctx, args) => {
 	return ctx.runMutation(AUTH_STORE_REF, { args: {

package/dist/server/mutations/refresh.js

@@ -1,104 +1,62 @@
 import { authDb } from "../db.js";
 import { log, maybeRedact } from "../log.js";
 import { AUTH_STORE_REF } from "./store/refs.js";
-import { REFRESH_TOKEN_REUSE_WINDOW_MS, invalidateRefreshTokensInSubtree, parseRefreshToken, refreshTokenIfValid } from "../refresh.js";
+import { REFRESH_TOKEN_REUSE_WINDOW_MS, parseRefreshToken, refreshTokenExpirationTime } from "../refresh.js";
 import { generateTokensForSession } from "../sessions.js";
+import { withSpan } from "../utils/span.js";
 import { v } from "convex/values";
-import { Data, Effect, Match } from "effect";
 
 //#region src/server/mutations/refresh.ts
-const asSessionId = (id) => id;
-const asRefreshTokenId = (id) => id;
 const refreshSessionArgs = v.object({ refreshToken: v.string() });
-var RefreshFailure = class extends Data.TaggedError("RefreshFailure") {};
-const softTry = (try_, reason) => Effect.tryPromise({
-	try: try_,
-	catch: () => new RefreshFailure({ reason })
-});
-const softTryEffect = (effect, reason) => effect.pipe(Effect.mapError(() => new RefreshFailure({ reason })));
-const softCleanup = (effect) => effect.pipe(Effect.catchTag("RefreshFailure", (failure) => Effect.sync(() => {
-	log("DEBUG", failure.reason);
-})), Effect.asVoid);
-function refreshSessionImpl(ctx, args, _getProviderOrThrow, config) {
+async function refreshSessionImpl(ctx, args, config) {
 	const db = authDb(ctx, config);
-	const { refreshToken } = args;
-	return Effect.gen(function* () {
-		const { refreshTokenId, sessionId: tokenSessionId } = yield* parseRefreshToken(refreshToken).pipe(Effect.mapError((error) => new RefreshFailure({ reason: error.data.message })));
-		yield* Effect.sync(() => {
-			log("DEBUG", `refreshSessionImpl args: Token ID: ${maybeRedact(refreshTokenId)} Session ID: ${maybeRedact(tokenSessionId)}`);
-		});
-		const validationResult = yield* refreshTokenIfValid(ctx, refreshTokenId, tokenSessionId, config);
-		if (validationResult === null) {
-			yield* softCleanup(softTry(async () => {
-				const session$1 = await db.sessions.getById(asSessionId(tokenSessionId));
-				if (session$1 !== null) await db.sessions.delete(session$1._id);
-			}, "Skipping invalid session id during refresh cleanup"));
-			yield* softCleanup(softTry(() => authDb(ctx, config).refreshTokens.deleteAll(asSessionId(tokenSessionId)), "Skipping invalid token session id during refresh token cleanup"));
-			return null;
-		}
-		const { session, refreshTokenDoc } = validationResult;
-		const sessionId = session._id;
-		const userId = session.userId;
-		const tokenFirstUsed = refreshTokenDoc.firstUsedTime;
-		const tokenDispatch = tokenFirstUsed === void 0 ? { tag: "firstUse" } : {
-			tag: "reuse",
-			tokenFirstUsed
-		};
-		return yield* Match.value(tokenDispatch).pipe(Match.when({ tag: "firstUse" }, () => softTryEffect(Effect.gen(function* () {
-			yield* Effect.promise(() => db.refreshTokens.patch(asRefreshTokenId(refreshTokenId), { firstUsedTime: Date.now() }));
-			const result = yield* Effect.promise(() => generateTokensForSession(ctx, config, {
-				userId,
-				sessionId,
-				issuedRefreshTokenId: null,
-				parentRefreshTokenId: asRefreshTokenId(refreshTokenId)
-			}));
-			const { refreshTokenId: newRefreshTokenId } = yield* parseRefreshToken(result.refreshToken).pipe(Effect.mapError((error) => new RefreshFailure({ reason: error.data.message })));
-			yield* Effect.sync(() => {
-				log("DEBUG", `Exchanged ${maybeRedact(refreshTokenDoc._id)} (first use) for new refresh token ${maybeRedact(newRefreshTokenId)}`);
-			});
-			return result;
-		}), "Failed during first-use token exchange")), Match.when({ tag: "reuse" }, ({ tokenFirstUsed: tokenFirstUsed$1 }) => softTry(() => authDb(ctx, config).refreshTokens.getActive(asSessionId(tokenSessionId)), "Failed to load active refresh token").pipe(Effect.flatMap((activeRefreshToken) => {
-			log("DEBUG", `Active refresh token: ${maybeRedact(activeRefreshToken?._id ?? "(none)")}, parent ${maybeRedact(activeRefreshToken?.parentRefreshTokenId ?? "(none)")}`);
-			const reuseDispatch = activeRefreshToken !== null && activeRefreshToken.parentRefreshTokenId === refreshTokenId ? {
-				tag: "parentOfActive",
-				activeRefreshToken
-			} : tokenFirstUsed$1 + REFRESH_TOKEN_REUSE_WINDOW_MS > Date.now() ? { tag: "withinReuseWindow" } : { tag: "outsideReuseWindow" };
-			return Match.value(reuseDispatch).pipe(Match.when({ tag: "parentOfActive" }, ({ activeRefreshToken: activeRefreshToken$1 }) => softTry(() => generateTokensForSession(ctx, config, {
-				userId,
-				sessionId,
-				issuedRefreshTokenId: activeRefreshToken$1._id,
-				parentRefreshTokenId: asRefreshTokenId(refreshTokenId)
-			}), "Failed to generate tokens for parent reuse").pipe(Effect.tap(() => Effect.sync(() => {
-				log("DEBUG", `Token ${maybeRedact(refreshTokenDoc._id)} is parent of active refresh token ${maybeRedact(activeRefreshToken$1._id)}, so returning that token`);
-			})))), Match.when({ tag: "withinReuseWindow" }, () => softTryEffect(Effect.gen(function* () {
-				const result = yield* Effect.promise(() => generateTokensForSession(ctx, config, {
-					userId,
+	return withSpan("convex-auth.refresh.session", { hasRefreshToken: true }, async () => {
+		try {
+			let refreshTokenId;
+			let sessionId;
+			try {
+				({refreshTokenId, sessionId} = parseRefreshToken(args.refreshToken));
+			} catch {
+				throw new RefreshFailure("Failed to parse refresh token");
+			}
+			log("DEBUG", `refreshSessionImpl args: Token ID: ${maybeRedact(refreshTokenId)} Session ID: ${maybeRedact(sessionId)}`);
+			let exchanged;
+			try {
+				exchanged = await db.refreshTokens.exchange({
+					refreshTokenId,
 					sessionId,
-					issuedRefreshTokenId: null,
-					parentRefreshTokenId: asRefreshTokenId(refreshTokenId)
-				}));
-				const { refreshTokenId: newRefreshTokenId } = yield* parseRefreshToken(result.refreshToken).pipe(Effect.mapError((error) => new RefreshFailure({ reason: error.data.message })));
-				yield* Effect.sync(() => {
-					log("DEBUG", `Exchanged ${maybeRedact(refreshTokenDoc._id)} (reuse) for new refresh token ${maybeRedact(newRefreshTokenId)}`);
-				});
-				return result;
-			}), "Failed to generate tokens for reuse window")), Match.when({ tag: "outsideReuseWindow" }, () => softTryEffect(Effect.gen(function* () {
-				yield* Effect.sync(() => {
-					log("ERROR", "Refresh token used outside of reuse window");
-					log("DEBUG", `Token ${maybeRedact(refreshTokenDoc._id)} being used outside of reuse window, so invalidating all refresh tokens in subtree`);
+					now: Date.now(),
+					refreshTokenExpirationTime: refreshTokenExpirationTime(config),
+					reuseWindowMs: REFRESH_TOKEN_REUSE_WINDOW_MS
 				});
-				const tokensToInvalidate = yield* invalidateRefreshTokensInSubtree(ctx, refreshTokenDoc, config);
-				yield* Effect.sync(() => {
-					log("DEBUG", `Invalidated ${tokensToInvalidate.length} refresh tokens in subtree: ${tokensToInvalidate.map((token) => maybeRedact(token._id)).join(", ")}`);
+			} catch {
+				throw new RefreshFailure("Failed to exchange refresh token");
+			}
+			if (exchanged === null) return null;
+			try {
+				return await generateTokensForSession(config, {
+					userId: exchanged.userId,
+					sessionId: exchanged.sessionId,
+					refreshTokenId: exchanged.refreshTokenId
 				});
+			} catch {
+				throw new RefreshFailure("Failed to generate refresh-session tokens");
+			}
+		} catch (e) {
+			if (e instanceof RefreshFailure) {
+				log("DEBUG", e.reason);
 				return null;
-			}), "Failed to invalidate refresh tokens in subtree")), Match.exhaustive);
-		}))), Match.exhaustive);
-	}).pipe(Effect.withSpan("convex-auth.refresh.session", { attributes: { hasRefreshToken: true } }), Effect.catch((failure) => Effect.sync(() => {
-		log("DEBUG", failure.reason);
-		return null;
-	})));
+			}
+			throw e;
+		}
+	});
 }
+var RefreshFailure = class extends Error {
+	constructor(reason) {
+		super(reason);
+		this.reason = reason;
+	}
+};
 const callRefreshSession = async (ctx, args) => {
 	return ctx.runMutation(AUTH_STORE_REF, { args: {
 		type: "refreshSession",

package/dist/server/mutations/register.js

@@ -7,7 +7,6 @@ import { getAuthSessionId } from "../sessions.js";
 import { upsertUserAndAccount } from "../users.js";
 import { payloadRecordValidator } from "../payloads.js";
 import { ConvexError, v } from "convex/values";
-import { Effect, Match } from "effect";
 
 //#region src/server/mutations/register.ts
 const createAccountFromCredentialsArgs = v.object({
@@ -20,7 +19,7 @@ const createAccountFromCredentialsArgs = v.object({
 	shouldLinkViaEmail: v.optional(v.boolean()),
 	shouldLinkViaPhone: v.optional(v.boolean())
 });
-function createAccountFromCredentialsImpl(ctx, args, getProviderOrThrow, config) {
+async function createAccountFromCredentialsImpl(ctx, args, getProviderOrThrow, config) {
 	log(LOG_LEVELS.DEBUG, "createAccountFromCredentialsImpl args:", {
 		provider: args.provider,
 		account: {
@@ -32,10 +31,11 @@ function createAccountFromCredentialsImpl(ctx, args, getProviderOrThrow, config)
 	const db = authDb(ctx, config);
 	const provider = getProviderOrThrow(providerId);
 	const typedProfile = profile;
-	return Effect.flatMap(Effect.promise(() => db.accounts.get(provider.id, account.id)), (existingAccount) => Match.value(existingAccount).pipe(Match.when(null, () => Effect.gen(function* () {
+	const existingAccount = await db.accounts.get(provider.id, account.id);
+	if (existingAccount === null) {
 		const accountSecret = account.secret;
-		const secret = accountSecret === void 0 ? void 0 : yield* hash(provider, accountSecret);
-		const { userId, accountId } = yield* Effect.promise(async () => upsertUserAndAccount(ctx, await getAuthSessionId(ctx), {
+		const secret = accountSecret === void 0 ? void 0 : await hash(provider, accountSecret);
+		const { userId, accountId } = await upsertUserAndAccount(ctx, await getAuthSessionId(ctx), {
 			providerAccountId: account.id,
 			secret
 		}, {
@@ -44,38 +44,38 @@ function createAccountFromCredentialsImpl(ctx, args, getProviderOrThrow, config)
 			profile: typedProfile,
 			shouldLinkViaEmail,
 			shouldLinkViaPhone
-		}, config));
-		const [createdAccount, createdUser] = yield* Effect.all([Effect.promise(() => db.accounts.getById(accountId)), Effect.promise(() => db.users.getById(userId))]);
-		if (createdAccount === null) return yield* Effect.fail(new ConvexError({
+		}, config);
+		const [createdAccount, createdUser] = await Promise.all([db.accounts.getById(accountId), db.users.getById(userId)]);
+		if (createdAccount === null) throw new ConvexError({
 			code: "ACCOUNT_NOT_FOUND",
 			message: "Created account was not found."
-		}));
-		if (createdUser === null) return yield* Effect.fail(new ConvexError({
+		});
+		if (createdUser === null) throw new ConvexError({
 			code: "USER_UPDATE_FAILED",
 			message: "Created user was not found."
-		}));
+		});
 		return {
 			account: createdAccount,
 			user: createdUser
 		};
-	})), Match.orElse((existingAccount$1) => Effect.gen(function* () {
+	} else {
 		if (account.secret !== void 0) {
 			const accountSecret = account.secret;
-			if (!(yield* verify(provider, accountSecret, existingAccount$1.secret ?? ""))) return yield* Effect.fail(new ConvexError({
+			if (!await verify(provider, accountSecret, existingAccount.secret ?? "")) throw new ConvexError({
 				code: "INVALID_CREDENTIALS",
 				message: "Invalid credentials."
-			}));
+			});
 		}
-		const user = yield* Effect.promise(() => db.users.getById(existingAccount$1.userId));
-		if (user === null) return yield* Effect.fail(new ConvexError({
+		const user = await db.users.getById(existingAccount.userId);
+		if (user === null) throw new ConvexError({
 			code: "ACCOUNT_NOT_FOUND",
 			message: `Linked user for account ${account.id} was not found.`
-		}));
+		});
 		return {
-			account: existingAccount$1,
+			account: existingAccount,
 			user
 		};
-	}))));
+	}
 }
 const callCreateAccountFromCredentials = async (ctx, args) => {
 	return ctx.runMutation(AUTH_STORE_REF, { args: {

package/dist/server/mutations/retrieve.js

@@ -5,7 +5,6 @@ import { log, maybeRedact } from "../log.js";
 import { AUTH_STORE_REF } from "./store/refs.js";
 import { isSignInRateLimited, recordFailedSignIn, resetSignInRateLimit } from "../limits.js";
 import { v } from "convex/values";
-import { Effect, Match } from "effect";
 
 //#region src/server/mutations/retrieve.ts
 const retrieveAccountWithCredentialsArgs = v.object({
@@ -15,7 +14,7 @@ const retrieveAccountWithCredentialsArgs = v.object({
 		secret: v.optional(v.string())
 	})
 });
-function retrieveAccountWithCredentialsImpl(ctx, args, getProviderOrThrow, config) {
+async function retrieveAccountWithCredentialsImpl(ctx, args, getProviderOrThrow, config) {
 	const { provider: providerId, account } = args;
 	const db = authDb(ctx, config);
 	log(LOG_LEVELS.DEBUG, "retrieveAccountWithCredentialsImpl args:", {
@@ -25,27 +24,30 @@ function retrieveAccountWithCredentialsImpl(ctx, args, getProviderOrThrow, confi
 			secret: maybeRedact(account.secret ?? "")
 		}
 	});
-	return Effect.catch(Effect.gen(function* () {
-		const existingAccount = yield* Effect.promise(() => db.accounts.get(providerId, account.id));
+	try {
+		const existingAccount = await db.accounts.get(providerId, account.id);
 		if (existingAccount === null) return "InvalidAccountId";
 		if (account.secret !== void 0) {
 			const accountSecret = account.secret;
-			if (yield* isSignInRateLimited(ctx, existingAccount._id, config)) return "TooManyFailedAttempts";
-			if (!(yield* verify(getProviderOrThrow(providerId), accountSecret, existingAccount.secret ?? ""))) {
-				yield* recordFailedSignIn(ctx, existingAccount._id, config);
+			if (await isSignInRateLimited(ctx, existingAccount._id, config)) return "TooManyFailedAttempts";
+			if (!await verify(getProviderOrThrow(providerId), accountSecret, existingAccount.secret ?? "")) {
+				await recordFailedSignIn(ctx, existingAccount._id, config);
 				return "InvalidSecret";
 			}
-			yield* resetSignInRateLimit(ctx, existingAccount._id, config);
+			await resetSignInRateLimit(ctx, existingAccount._id, config);
 		}
-		const user = yield* Effect.promise(() => db.users.getById(existingAccount.userId));
-		return yield* Match.value(user).pipe(Match.when(null, () => {
+		const user = await db.users.getById(existingAccount.userId);
+		if (user === null) {
 			log(LOG_LEVELS.ERROR, `Account ${existingAccount._id} is linked to missing user ${existingAccount.userId}`);
-			return Effect.succeed("InvalidAccountId");
-		}), Match.orElse((user$1) => Effect.succeed({
+			return "InvalidAccountId";
+		}
+		return {
 			account: existingAccount,
-			user: user$1
-		})));
-	}), () => Effect.succeed("InvalidAccountId"));
+			user
+		};
+	} catch {
+		return "InvalidAccountId";
+	}
 }
 const callRetrieveAccountWithCredentials = async (ctx, args) => {
 	return ctx.runMutation(AUTH_STORE_REF, { args: {

package/dist/server/mutations/signature.js

@@ -1,31 +1,27 @@
 import { authDb } from "../db.js";
 import { AUTH_STORE_REF } from "./store/refs.js";
 import { ConvexError, v } from "convex/values";
-import { Effect, Option, pipe } from "effect";
 
 //#region src/server/mutations/signature.ts
 const verifierSignatureArgs = v.object({
 	verifier: v.string(),
 	signature: v.string()
 });
-function verifierSignatureImpl(ctx, args, config) {
+async function verifierSignatureImpl(ctx, args, config) {
 	const { verifier, signature } = args;
 	const db = authDb(ctx, config);
 	const invalidVerifierError = new ConvexError({
 		code: "INVALID_VERIFIER",
 		message: "Invalid or expired verifier."
 	});
-	return Effect.gen(function* () {
-		const verifierDoc = yield* Effect.tryPromise({
-			try: () => db.verifiers.getById(verifier),
-			catch: () => invalidVerifierError
-		});
-		const existingVerifier = yield* pipe(Option.fromNullishOr(verifierDoc), Option.match({
-			onNone: () => Effect.fail(invalidVerifierError),
-			onSome: (verifierDoc$1) => Effect.succeed(verifierDoc$1)
-		}));
-		yield* Effect.promise(() => db.verifiers.patch(existingVerifier._id, { signature }));
-	});
+	let verifierDoc;
+	try {
+		verifierDoc = await db.verifiers.getById(verifier);
+	} catch {
+		throw invalidVerifierError;
+	}
+	if (verifierDoc == null) throw invalidVerifierError;
+	await db.verifiers.patch(verifierDoc._id, { signature });
 }
 const callVerifierSignature = async (ctx, args) => {
 	return ctx.runMutation(AUTH_STORE_REF, { args: {

package/dist/server/mutations/signin.js

@@ -1,7 +1,7 @@
 import { LOG_LEVELS } from "../../shared/log.js";
 import { log } from "../log.js";
 import { AUTH_STORE_REF } from "./store/refs.js";
-import { createNewAndDeleteExistingSession, maybeGenerateTokensForSession } from "../sessions.js";
+import { getAuthSessionId, issueSession } from "../sessions.js";
 import { v } from "convex/values";
 
 //#region src/server/mutations/signin.ts
@@ -13,8 +13,12 @@ const signInArgs = v.object({
 async function signInImpl(ctx, args, config) {
 	log(LOG_LEVELS.DEBUG, "signInImpl args:", args);
 	const { userId, sessionId: existingSessionId, generateTokens } = args;
-	const typedUserId = userId;
-	return await maybeGenerateTokensForSession(ctx, config, typedUserId, existingSessionId ?? await createNewAndDeleteExistingSession(ctx, config, typedUserId), generateTokens);
+	return await issueSession(ctx, config, {
+		userId,
+		existingSessionId,
+		replaceSessionId: existingSessionId === void 0 ? await getAuthSessionId(ctx) ?? void 0 : void 0,
+		generateTokens
+	});
 }
 const callSignIn = async (ctx, args) => {
 	return ctx.runMutation(AUTH_STORE_REF, { args: {