@robelest/convex-auth 0.0.4-preview.27 → 0.0.4-preview.28

package/dist/server/mutations/signout.js

@@ -1,24 +1,19 @@
 import { authDb } from "../db.js";
 import { AUTH_STORE_REF } from "./store/refs.js";
 import { deleteSession, getAuthSessionId } from "../sessions.js";
-import { Effect, Option, pipe } from "effect";
 
 //#region src/server/mutations/signout.ts
-function signOutImpl(ctx, config) {
+async function signOutImpl(ctx, config) {
 	const db = authDb(ctx, config);
-	return Effect.gen(function* () {
-		const sessionId = yield* Effect.promise(() => getAuthSessionId(ctx));
-		return yield* pipe(Option.fromNullishOr(sessionId), Option.match({
-			onNone: () => Effect.succeed(null),
-			onSome: (sessionId$1) => Effect.flatMap(Effect.promise(() => db.sessions.getById(sessionId$1)), (session) => pipe(Option.fromNullishOr(session), Option.match({
-				onNone: () => Effect.succeed(null),
-				onSome: (session$1) => Effect.as(Effect.promise(() => deleteSession(ctx, session$1, config)), {
-					userId: session$1.userId,
-					sessionId: session$1._id
-				})
-			})))
-		}));
-	});
+	const sessionId = await getAuthSessionId(ctx);
+	if (sessionId == null) return null;
+	const session = await db.sessions.getById(sessionId);
+	if (session == null) return null;
+	await deleteSession(ctx, session, config);
+	return {
+		userId: session.userId,
+		sessionId: session._id
+	};
 }
 const callSignOut = async (ctx) => {
 	return ctx.runMutation(AUTH_STORE_REF, { args: { type: "signOut" } });

package/dist/server/mutations/store.js

@@ -10,10 +10,9 @@ import { retrieveAccountWithCredentialsArgs, retrieveAccountWithCredentialsImpl
 import { verifierSignatureArgs, verifierSignatureImpl } from "./signature.js";
 import { signInArgs, signInImpl } from "./signin.js";
 import { signOutImpl } from "./signout.js";
-import { verifierImpl } from "./verifier.js";
+import { verifierArgs, verifierImpl } from "./verifier.js";
 import { verifyCodeAndSignInArgs, verifyCodeAndSignInImpl } from "./verify.js";
 import { v } from "convex/values";
-import { Cause, Effect, Exit, Match } from "effect";
 
 //#region src/server/mutations/store.ts
 const storeArgs = v.object({ args: v.union(v.object({
@@ -25,7 +24,10 @@ const storeArgs = v.object({ args: v.union(v.object({
 }), v.object({
 	type: v.literal("verifyCodeAndSignIn"),
 	...verifyCodeAndSignInArgs.fields
-}), v.object({ type: v.literal("verifier") }), v.object({
+}), v.object({
+	type: v.literal("verifier"),
+	...verifierArgs.fields
+}), v.object({
 	type: v.literal("verifierSignature"),
 	...verifierSignatureArgs.fields
 }), v.object({
@@ -51,15 +53,23 @@ const storeImpl = async (ctx, fnArgs, services) => {
 	const args = fnArgs.args;
 	const config = services.config;
 	const getProviderOrThrow = services.providerRegistry.getProviderOrThrow;
-	log(LOG_LEVELS.INFO, `\`auth:store\` type: ${args.type}`);
-	const program = Match.value(args).pipe(Match.when({ type: "signIn" }, (args$1) => Effect.promise(() => signInImpl(ctx, args$1, config))), Match.when({ type: "signOut" }, () => signOutImpl(ctx, config)), Match.when({ type: "refreshSession" }, (args$1) => services.refresh.refresh(ctx, args$1, getProviderOrThrow)), Match.when({ type: "verifyCodeAndSignIn" }, (args$1) => verifyCodeAndSignInImpl(ctx, args$1, getProviderOrThrow, config)), Match.when({ type: "verifier" }, () => verifierImpl(ctx, config)), Match.when({ type: "verifierSignature" }, (args$1) => verifierSignatureImpl(ctx, args$1, config)), Match.when({ type: "userOAuth" }, (args$1) => userOAuthImpl(ctx, args$1, getProviderOrThrow, config)), Match.when({ type: "createVerificationCode" }, (args$1) => Effect.promise(() => createVerificationCodeImpl(ctx, args$1, getProviderOrThrow, config))), Match.when({ type: "createAccountFromCredentials" }, (args$1) => createAccountFromCredentialsImpl(ctx, args$1, getProviderOrThrow, config)), Match.when({ type: "retrieveAccountWithCredentials" }, (args$1) => retrieveAccountWithCredentialsImpl(ctx, args$1, getProviderOrThrow, config)), Match.when({ type: "modifyAccount" }, (args$1) => modifyAccountImpl(ctx, args$1, getProviderOrThrow, config)), Match.when({ type: "invalidateSessions" }, (args$1) => invalidateSessionsImpl(ctx, args$1, config)), Match.exhaustive);
-	const exit = await Effect.runPromiseExit(program);
-	return Exit.match(exit, {
-		onSuccess: (value) => value,
-		onFailure: (cause) => {
-			throw Cause.squash(cause);
-		}
-	});
+	log(LOG_LEVELS.DEBUG, `\`auth:store\` type: ${args.type}`);
+	const handler = {
+		signIn: (a) => signInImpl(ctx, a, config),
+		signOut: () => signOutImpl(ctx, config),
+		refreshSession: (a) => services.refresh.refresh(ctx, a),
+		verifyCodeAndSignIn: (a) => verifyCodeAndSignInImpl(ctx, a, getProviderOrThrow, config),
+		verifier: (a) => verifierImpl(ctx, a, config),
+		verifierSignature: (a) => verifierSignatureImpl(ctx, a, config),
+		userOAuth: (a) => userOAuthImpl(ctx, a, getProviderOrThrow, config),
+		createVerificationCode: (a) => createVerificationCodeImpl(ctx, a, getProviderOrThrow, config),
+		createAccountFromCredentials: (a) => createAccountFromCredentialsImpl(ctx, a, getProviderOrThrow, config),
+		retrieveAccountWithCredentials: (a) => retrieveAccountWithCredentialsImpl(ctx, a, getProviderOrThrow, config),
+		modifyAccount: (a) => modifyAccountImpl(ctx, a, getProviderOrThrow, config),
+		invalidateSessions: (a) => invalidateSessionsImpl(ctx, a, config)
+	}[args.type];
+	if (!handler) throw new Error(`Unknown store type: "${args.type}"`);
+	return await handler(args);
 };
 
 //#endregion

package/dist/server/mutations/verifier.js

@@ -1,16 +1,21 @@
 import { authDb } from "../db.js";
 import { AUTH_STORE_REF } from "./store/refs.js";
 import { getAuthSessionId } from "../sessions.js";
-import { Effect } from "effect";
+import { v } from "convex/values";
 
 //#region src/server/mutations/verifier.ts
-function verifierImpl(ctx, config) {
-	return Effect.flatMap(Effect.promise(() => getAuthSessionId(ctx)), (sessionId) => Effect.promise(() => authDb(ctx, config).verifiers.create(sessionId ?? void 0)).pipe(Effect.map((verifierId) => verifierId)));
+const verifierArgs = v.object({ signature: v.optional(v.string()) });
+async function verifierImpl(ctx, args, config) {
+	const sessionId = await getAuthSessionId(ctx);
+	return await authDb(ctx, config).verifiers.create(sessionId ?? void 0, args.signature);
 }
-const callVerifier = async (ctx) => {
-	return ctx.runMutation(AUTH_STORE_REF, { args: { type: "verifier" } });
+const callVerifier = async (ctx, signature) => {
+	return ctx.runMutation(AUTH_STORE_REF, { args: {
+		type: "verifier",
+		...signature === void 0 ? {} : { signature }
+	} });
 };
 
 //#endregion
-export { callVerifier, verifierImpl };
+export { callVerifier, verifierArgs, verifierImpl };
 //# sourceMappingURL=verifier.js.map

package/dist/server/mutations/verify.js

@@ -1,17 +1,16 @@
 import { LOG_LEVELS } from "../../shared/log.js";
-import { requireEnv } from "../env.js";
 import { sha256 } from "../random.js";
 import { authDb } from "../db.js";
+import { requireEnv } from "../env.js";
 import { log } from "../log.js";
 import { AUTH_STORE_REF } from "./store/refs.js";
-import { createNewAndDeleteExistingSession, getAuthSessionId, maybeGenerateTokensForSession } from "../sessions.js";
+import { getAuthSessionId, issueSession } from "../sessions.js";
 import { upsertUserAndAccount } from "../users.js";
 import { payloadRecordValidator } from "../payloads.js";
 import { isGroupProviderId } from "../sso/shared.js";
 import { createSyntheticOAuthMaterializedConfig } from "../sso/oidc.js";
 import { isSignInRateLimited, recordFailedSignIn, resetSignInRateLimit } from "../limits.js";
 import { v } from "convex/values";
-import { Data, Effect } from "effect";
 
 //#region src/server/mutations/verify.ts
 const verifyCodeAndSignInArgs = v.object({
@@ -21,50 +20,46 @@ const verifyCodeAndSignInArgs = v.object({
 	generateTokens: v.boolean(),
 	allowExtraProviders: v.boolean()
 });
-/** A soft verification failure — logged and collapsed to null at the boundary. */
-var VerifyFailure = class extends Data.TaggedError("VerifyFailure") {};
-function verifyCodeAndSignInImpl(ctx, args, getProviderOrThrow, config) {
+async function verifyCodeAndSignInImpl(ctx, args, getProviderOrThrow, config) {
 	const params = args.params;
 	const { generateTokens, provider, allowExtraProviders } = args;
 	const identifier = typeof params.email === "string" ? params.email : typeof params.phone === "string" ? params.phone : void 0;
-	return Effect.gen(function* () {
-		yield* Effect.sync(() => {
-			log(LOG_LEVELS.DEBUG, "verifyCodeAndSignInImpl args:", {
-				params: {
-					email: params.email,
-					phone: params.phone
-				},
-				provider: args.provider,
-				verifier: args.verifier,
-				generateTokens: args.generateTokens,
-				allowExtraProviders: args.allowExtraProviders
-			});
-			if (generateTokens) {
-				requireEnv("JWT_PRIVATE_KEY");
-				requireEnv("JWKS");
-				requireEnv("CONVEX_SITE_URL");
-			}
+	try {
+		log(LOG_LEVELS.DEBUG, "verifyCodeAndSignInImpl args:", {
+			params: {
+				email: params.email,
+				phone: params.phone
+			},
+			provider: args.provider,
+			verifier: args.verifier,
+			generateTokens: args.generateTokens,
+			allowExtraProviders: args.allowExtraProviders
 		});
+		if (generateTokens) {
+			requireEnv("JWT_PRIVATE_KEY");
+			requireEnv("JWKS");
+			requireEnv("CONVEX_SITE_URL");
+		}
 		if (identifier !== void 0) {
-			if (yield* isSignInRateLimited(ctx, identifier, config)) return yield* Effect.fail(new VerifyFailure({ reason: "Too many failed attempts to verify code for this email" }));
+			if (await isSignInRateLimited(ctx, identifier, config)) throw new VerifyFailure("Too many failed attempts to verify code for this email");
 		}
 		const db = authDb(ctx, config);
 		const verifier = args.verifier;
 		const codeValue = params.code;
-		if (typeof codeValue !== "string") return yield* Effect.fail(new VerifyFailure({ reason: "Invalid verification code" }));
-		const hash = yield* Effect.promise(() => sha256(codeValue));
-		const code = yield* Effect.promise(() => db.verificationCodes.getByCode(hash));
-		if (code === null) return yield* Effect.fail(new VerifyFailure({ reason: "Invalid verification code" }));
-		yield* Effect.promise(() => db.verificationCodes.delete(code._id));
-		if (code.verifier !== verifier) return yield* Effect.fail(new VerifyFailure({ reason: "Invalid verifier" }));
-		if (code.expirationTime < Date.now()) return yield* Effect.fail(new VerifyFailure({ reason: "Expired verification code" }));
-		if (provider !== void 0 && code.provider !== provider) return yield* Effect.fail(new VerifyFailure({ reason: `Invalid provider "${provider}" for given \`code\`` }));
-		const account = yield* Effect.promise(() => db.accounts.getById(code.accountId));
-		if (account === null) return yield* Effect.fail(new VerifyFailure({ reason: "Account associated with this email has been deleted" }));
+		if (typeof codeValue !== "string") throw new VerifyFailure("Invalid verification code");
+		const hash = await sha256(codeValue);
+		const code = await db.verificationCodes.getByCode(hash);
+		if (code === null) throw new VerifyFailure("Invalid verification code");
+		await db.verificationCodes.delete(code._id);
+		if (code.verifier !== verifier) throw new VerifyFailure("Invalid verifier");
+		if (code.expirationTime < Date.now()) throw new VerifyFailure("Expired verification code");
+		if (provider !== void 0 && code.provider !== provider) throw new VerifyFailure(`Invalid provider "${provider}" for given \`code\``);
+		const account = await db.accounts.getById(code.accountId);
+		if (account === null) throw new VerifyFailure("Account associated with this email has been deleted");
 		const codeProvider = isGroupProviderId(code.provider) ? createSyntheticOAuthMaterializedConfig(code.provider) : getProviderOrThrow(code.provider, allowExtraProviders);
-		if (codeProvider !== null && (codeProvider.type === "email" || codeProvider.type === "phone") && codeProvider.authorize !== void 0) yield* Effect.promise(() => codeProvider.authorize(params, account));
+		if (codeProvider !== null && (codeProvider.type === "email" || codeProvider.type === "phone") && codeProvider.authorize !== void 0) await codeProvider.authorize(params, account);
 		const methodProvider = isGroupProviderId(account.provider) ? createSyntheticOAuthMaterializedConfig(account.provider) : getProviderOrThrow(account.provider);
-		const userId = methodProvider.type === "oauth" ? account.userId : (yield* Effect.promise(async () => upsertUserAndAccount(ctx, await getAuthSessionId(ctx), { existingAccount: account }, {
+		const userId = methodProvider.type === "oauth" ? account.userId : (await upsertUserAndAccount(ctx, await getAuthSessionId(ctx), { existingAccount: account }, {
 			type: "verification",
 			provider: methodProvider,
 			profile: {
@@ -77,18 +72,32 @@ function verifyCodeAndSignInImpl(ctx, args, getProviderOrThrow, config) {
 					phoneVerified: true
 				} : {}
 			}
-		}, config))).userId;
-		if (identifier !== void 0) yield* resetSignInRateLimit(ctx, identifier, config);
-		const sessionId = yield* Effect.promise(() => createNewAndDeleteExistingSession(ctx, config, userId));
-		return yield* Effect.promise(() => maybeGenerateTokensForSession(ctx, config, userId, sessionId, generateTokens));
-	}).pipe(Effect.catchTag("VerifyFailure", (error) => Effect.gen(function* () {
-		yield* Effect.sync(() => {
-			log(LOG_LEVELS.ERROR, error.reason);
+		}, config)).userId;
+		if (identifier !== void 0) await resetSignInRateLimit(ctx, identifier, config);
+		return await issueSession(ctx, config, {
+			userId,
+			replaceSessionId: await getAuthSessionId(ctx) ?? void 0,
+			generateTokens
 		});
-		if (identifier !== void 0) yield* recordFailedSignIn(ctx, identifier, config);
-		return null;
-	})));
+	} catch (error) {
+		if (error instanceof VerifyFailure) {
+			log(LOG_LEVELS.ERROR, error.reason);
+			if (identifier !== void 0) await recordFailedSignIn(ctx, identifier, config);
+			return null;
+		}
+		throw error;
+	}
 }
+/** A soft verification failure -- logged and collapsed to null at the boundary. */
+var VerifyFailure = class extends Error {
+	_tag = "VerifyFailure";
+	reason;
+	constructor(reason) {
+		super(reason);
+		this.reason = reason;
+		this.name = "VerifyFailure";
+	}
+};
 const callVerifyCodeAndSignIn = async (ctx, args) => {
 	return ctx.runMutation(AUTH_STORE_REF, { args: {
 		type: "verifyCodeAndSignIn",

package/dist/server/oauth/runtime.js

@@ -1,9 +1,9 @@
 import { envOptionalString, readConfigSync } from "../env.js";
+import { log } from "../log.js";
+import { withSpan } from "../utils/span.js";
 import { isLocalHost } from "../url.js";
 import { SHARED_COOKIE_OPTIONS } from "../cookies.js";
-import { log } from "../log.js";
 import { ConvexError } from "convex/values";
-import { Effect } from "effect";
 import * as arctic from "arctic";
 
 //#region src/server/oauth/runtime.ts
@@ -16,13 +16,14 @@ import * as arctic from "arctic";
 * @module
 */
 function failConvex(data) {
-	return Effect.fail(new ConvexError(data));
+	throw new ConvexError(data);
 }
-function tryConvex(options) {
-	return Effect.tryPromise({
-		try: async () => options.try(),
-		catch: (error) => new ConvexError(options.catch(error))
-	});
+async function tryConvex(options) {
+	try {
+		return await options.try();
+	} catch (error) {
+		throw new ConvexError(options.catch(error));
+	}
 }
 const COOKIE_TTL = 900;
 const oauthCookiePrefix = !isLocalHost(readConfigSync(envOptionalString("CONVEX_SITE_URL")) ?? void 0) ? "__Host-" : "";
@@ -67,7 +68,7 @@ function getAuthorizationSignature({ codeVerifier, state }) {
 function requiresPKCE(provider) {
 	return provider.pkce === "required" || provider.pkce === "optional";
 }
-function exchangeCode(provider, code, codeVerifier) {
+async function exchangeCode(provider, code, codeVerifier) {
 	return tryConvex({
 		try: () => provider.validateAuthorizationCode({
 			code,
@@ -89,7 +90,7 @@ function exchangeCode(provider, code, codeVerifier) {
 		}
 	});
 }
-function extractProfile(providerId, oauthConfig, tokens) {
+async function extractProfile(providerId, oauthConfig, tokens) {
 	if (oauthConfig.profile) return tryConvex({
 		try: () => oauthConfig.profile(tokens),
 		catch: (error) => ({
@@ -99,12 +100,12 @@ function extractProfile(providerId, oauthConfig, tokens) {
 	});
 	if (typeof tokens.idToken === "string") {
 		const claims = arctic.decodeIdToken(tokens.idToken);
-		return Effect.succeed({
+		return {
 			id: claims.sub ?? crypto.randomUUID(),
 			name: claims.name ?? void 0,
 			email: claims.email ?? void 0,
 			image: claims.picture ?? void 0
-		});
+		};
 	}
 	return failConvex({
 		code: "OAUTH_INVALID_PROFILE",
@@ -112,7 +113,8 @@ function extractProfile(providerId, oauthConfig, tokens) {
 	});
 }
 function validateProfileId(providerId, profile) {
-	return typeof profile.id === "string" && profile.id ? Effect.succeed(profile) : failConvex({
+	if (typeof profile.id === "string" && profile.id) return profile;
+	return failConvex({
 		code: "OAUTH_INVALID_PROFILE",
 		message: `The profile callback for "${providerId}" must return an object with a string \`id\` field.`
 	});
@@ -163,16 +165,16 @@ async function createOAuthAuthorizationURL(providerId, oauthConfig, options) {
 * Handle the OAuth callback: validate state, exchange code for tokens,
 * extract profile.
 */
-function handleOAuthCallback(providerId, oauthConfig, params, cookies) {
-	return Effect.gen(function* () {
-		if (oauthConfig.provider === null) return yield* failConvex({
+async function handleOAuthCallback(providerId, oauthConfig, params, cookies) {
+	return withSpan("convex-auth.oauth.callback", { providerId }, async () => {
+		if (oauthConfig.provider === null) return failConvex({
 			code: "OAUTH_PROVIDER_ERROR",
 			message: `OAuth provider "${providerId}" is missing a runtime client.`
 		});
 		const responseCookies = [];
 		const storedState = cookies[oauthCookieName("state", providerId)];
 		const returnedState = params.state;
-		if (!storedState || !returnedState || !constantTimeEqual(storedState, returnedState)) return yield* failConvex({
+		if (!storedState || !returnedState || !constantTimeEqual(storedState, returnedState)) return failConvex({
 			code: "OAUTH_INVALID_STATE",
 			message: "Invalid OAuth state. Please try signing in again."
 		});
@@ -184,21 +186,21 @@ function handleOAuthCallback(providerId, oauthConfig, params, cookies) {
 				error_description: params.error_description
 			};
 			log("DEBUG", "OAuthCallbackError", cause);
-			return yield* failConvex({
+			return failConvex({
 				code: "OAUTH_PROVIDER_ERROR",
 				message: "OAuth provider returned an error",
 				cause: JSON.stringify(cause)
 			});
 		}
 		const code = params.code;
-		if (code == null) return yield* failConvex({
+		if (code == null) return failConvex({
 			code: "OAUTH_PROVIDER_ERROR",
 			message: "Missing authorization code in callback"
 		});
 		let codeVerifier;
 		if (requiresPKCE(oauthConfig.provider)) {
 			const storedVerifier = cookies[oauthCookieName("pkce", providerId)];
-			if (storedVerifier == null) return yield* failConvex({
+			if (storedVerifier == null) return failConvex({
 				code: "OAUTH_MISSING_VERIFIER",
 				message: "Missing PKCE verifier cookie for OAuth callback"
 			});
@@ -208,22 +210,22 @@ function handleOAuthCallback(providerId, oauthConfig, params, cookies) {
 		let nonce;
 		if (oauthConfig.nonce === true) {
 			const storedNonce = cookies[oauthCookieName("nonce", providerId)];
-			if (storedNonce == null) return yield* failConvex({
+			if (storedNonce == null) return failConvex({
 				code: "OAUTH_PROVIDER_ERROR",
 				message: "Missing nonce cookie for OAuth callback"
 			});
 			nonce = storedNonce;
 			responseCookies.push(clearCookie("nonce", providerId));
 		}
-		const tokens = yield* exchangeCode(oauthConfig.provider, code, codeVerifier);
-		if (oauthConfig.validateTokens !== void 0) yield* tryConvex({
+		const tokens = await exchangeCode(oauthConfig.provider, code, codeVerifier);
+		if (oauthConfig.validateTokens !== void 0) await tryConvex({
 			try: () => oauthConfig.validateTokens(tokens, { nonce }),
 			catch: (error) => ({
 				code: "OAUTH_PROVIDER_ERROR",
 				message: `Token validation failed: ${error instanceof Error ? error.message : String(error)}`
 			})
 		});
-		const profile = yield* validateProfileId(providerId, yield* extractProfile(providerId, oauthConfig, tokens));
+		const profile = validateProfileId(providerId, await extractProfile(providerId, oauthConfig, tokens));
 		log("DEBUG", "OAuth callback profile extracted", {
 			providerId,
 			profileId: profile.id
@@ -238,7 +240,7 @@ function handleOAuthCallback(providerId, oauthConfig, params, cookies) {
 			cookies: responseCookies,
 			signature
 		};
-	}).pipe(Effect.withSpan("convex-auth.oauth.callback", { attributes: { providerId } }));
+	});
 }
 
 //#endregion