@robelest/convex-auth 0.0.4-preview.28 → 0.0.4-preview.30

package/dist/bin.js

@@ -6255,7 +6255,10 @@ gradient.pastel = pastel;
 //#region src/cli/keys.ts
 async function generateKeys() {
 	try {
-		const keys = await generateKeyPair("RS256", { extractable: true });
+		const keys = await generateKeyPair("EdDSA", {
+			crv: "Ed25519",
+			extractable: true
+		});
 		const privateKey = await exportPKCS8(keys.privateKey);
 		const publicKey = await exportJWK(keys.publicKey);
 		const jwks = JSON.stringify({ keys: [{
@@ -6263,7 +6266,7 @@ async function generateKeys() {
 			...publicKey
 		}] });
 		return {
-			JWT_PRIVATE_KEY: `${privateKey.trimEnd().replace(/\n/g, " ")}`,
+			JWT_PRIVATE_KEY: privateKey.trimEnd(),
 			JWKS: jwks,
 			AUTH_SECRET_ENCRYPTION_KEY: randomBytes(32).toString("base64url")
 		};
@@ -6503,6 +6506,7 @@ async function runSetup(options) {
 	await configureConvexConfig(config);
 	await initializeAuth(config);
 	await initializeAuthCore(config);
+	await initializeAuthConfig(config);
 	await configureHttp(config);
 	if (options.variables !== void 0) await configureOtherVariables(config, options.variables);
 	else printFinalSuccessMessage(config);
@@ -6816,6 +6820,38 @@ export const auth = createAuthContext(components.auth);
 		O.success(`Created ${newPath}`);
 	}
 }
+async function initializeAuthConfig(config) {
+	logStep(config, "Initialize auth.config file");
+	const sourceTemplate = `\
+export default {$$
+  providers: [$$
+    {$$
+      domain: process.env.CONVEX_SITE_URL,$$
+      applicationID: "convex",$$
+    },$$
+  ],$$
+};
+`;
+	const source = templateToSource(sourceTemplate);
+	const authConfigPath = path.join(config.convexFolderPath, "auth.config");
+	const existingPath = existingNonEmptySourcePath(authConfigPath);
+	if (existingPath !== null) if (doesAlreadyMatchTemplate(readFileSync(existingPath, "utf8"), sourceTemplate)) O.success(`${existingPath} is already set up.`);
+	else {
+		O.info(`You already have ${existingPath}. Make sure it trusts CONVEX_SITE_URL as the Convex auth issuer:`);
+		O.message(indent(`\n${source}\n`));
+		const ready = await ot({ message: "Ready to continue?" });
+		handleCancel(ready);
+		if (!ready) {
+			pt("Setup cancelled.");
+			process$1.exit(1);
+		}
+	}
+	else {
+		const newPath = config.usesTypeScript ? `${authConfigPath}.ts` : `${authConfigPath}.js`;
+		writeFileSync(newPath, source);
+		O.success(`Created ${newPath}`);
+	}
+}
 async function configureHttp(config) {
 	logStep(config, "Configure http file");
 	const sourceTemplate = `\

package/dist/browser/passkey.js

@@ -8,7 +8,7 @@ function createPasskeyClient(deps) {
 		if (result.kind !== "signedIn") return { kind: "started" };
 		return await setTokenAndMaybeWait(proxy ? {
 			shouldStore: false,
-			tokens: result.tokens === null ? null : { token: result.tokens.token },
+			tokens: result.session === null ? null : { token: result.session.token },
 			waitForHandshake: true,
 			context: {
 				provider: "passkey",
@@ -16,7 +16,7 @@ function createPasskeyClient(deps) {
 			}
 		} : {
 			shouldStore: true,
-			tokens: result.tokens,
+			tokens: result.session,
 			waitForHandshake: true,
 			context: {
 				provider: "passkey",

package/dist/client/core/types.d.ts

@@ -1,3 +1,4 @@
+import { AuthTokens, DeviceCodePayload } from "../../shared/authResults.js";
 import { ConvexError, Value } from "convex/values";
 import { FunctionReference } from "convex/server";
 
@@ -76,7 +77,7 @@ interface ClientAdapterDeps {
   proxyFetch: (body: Record<string, unknown>) => Promise<unknown>;
   setTokenAndMaybeWait: (args: {
     shouldStore: true;
-    tokens: AuthSession | null;
+    tokens: AuthTokens | null;
     waitForHandshake: boolean;
     context: {
       provider?: string;
@@ -97,28 +98,17 @@ interface ClientAdapterDeps {
 interface ClientAdapterFactories {
   passkey?: (deps: ClientAdapterDeps) => PasskeyClient;
 }
-type AuthSession = {
-  token: string;
-  refreshToken: string;
-};
+type DeviceCodeResult = DeviceCodePayload;
 /**
  * Device code response returned when signing in with the `"device"` provider.
  *
  * The device displays the `userCode` (or `verificationUriComplete`) and
  * polls via `auth.device.poll()` until the user authorizes.
  */
-type DeviceCodeResult = {
-  /** High-entropy device code used for polling (keep secret). */deviceCode: string; /** Short human-readable code the user enters (e.g. "WDJB-MJHT"). */
-  userCode: string; /** Base verification URL (e.g. "https://myapp.com/device"). */
-  verificationUri: string; /** Verification URL with user code pre-filled as `?code=XXXX-XXXX`. */
-  verificationUriComplete: string; /** Lifetime of the codes in seconds. */
-  expiresIn: number; /** Minimum polling interval in seconds. */
-  interval: number;
-};
 /**
  * Result of a `signIn` call.
  *
- * - `kind: "signedIn"` — credentials were accepted and the user is authenticated.
+ * - `kind: "signedIn"` — credentials were accepted and a client session is now available.
  * - `kind: "redirect"` — OAuth flow initiated; redirect the user to `redirect.toString()`.
  * - `kind: "totpRequired"` — credentials valid but 2FA is needed; call `auth.totp.verify()`.
  * - `kind: "deviceCode"` — device flow initiated; display the code and poll via `auth.device.poll()`.
@@ -163,7 +153,6 @@ type AuthState = {
 type AuthApiRefs<HasPasskey extends boolean = boolean, HasTotp extends boolean = boolean, HasDevice extends boolean = boolean> = {
   signIn: FunctionReference<"action", "public", Record<string, Value>, unknown>;
   signOut: FunctionReference<"action", "public", Record<string, Value>, unknown>;
-  store: FunctionReference<"mutation", "public", Record<string, Value>, unknown>;
 };
 /**
  * Passkey (WebAuthn) client-side helpers.

package/dist/client/factors/device.js

@@ -45,10 +45,10 @@ function createDeviceClient(deps) {
 					throw error;
 				}
 				if (pollResult === null) continue;
-				if (isSignedInResult(pollResult) && pollResult.tokens) {
+				if (isSignedInResult(pollResult) && pollResult.session) {
 					if (proxy) await setTokenAndMaybeWait({
 						shouldStore: false,
-						tokens: pollResult.tokens === null ? null : { token: pollResult.tokens.token },
+						tokens: pollResult.session === null ? null : { token: pollResult.session.token },
 						waitForHandshake: true,
 						context: {
 							provider: "device",
@@ -57,7 +57,7 @@ function createDeviceClient(deps) {
 					});
 					else await setTokenAndMaybeWait({
 						shouldStore: true,
-						tokens: pollResult.tokens ?? null,
+						tokens: pollResult.session ?? null,
 						waitForHandshake: true,
 						context: {
 							provider: "device",

package/dist/client/factors/totp.js

@@ -56,9 +56,9 @@ function createTotpClient(deps) {
 						verifier: opts.verifier
 					}
 				});
-				if (isSignedInResult(result$1) && result$1.tokens) await setTokenAndMaybeWait({
+				if (isSignedInResult(result$1) && result$1.session) await setTokenAndMaybeWait({
 					shouldStore: false,
-					tokens: result$1.tokens === null ? null : { token: result$1.tokens.token },
+					tokens: result$1.session === null ? null : { token: result$1.session.token },
 					waitForHandshake: true,
 					context: {
 						provider: "totp",
@@ -72,9 +72,9 @@ function createTotpClient(deps) {
 				params,
 				verifier: opts.verifier
 			});
-			if (isSignedInResult(result) && result.tokens) await setTokenAndMaybeWait({
+			if (isSignedInResult(result) && result.session) await setTokenAndMaybeWait({
 				shouldStore: true,
-				tokens: result.tokens ?? null,
+				tokens: result.session ?? null,
 				waitForHandshake: true,
 				context: {
 					provider: "totp",
@@ -96,9 +96,9 @@ function createTotpClient(deps) {
 						verifier: opts.verifier
 					}
 				});
-				if (isSignedInResult(result$1) && result$1.tokens) await setTokenAndMaybeWait({
+				if (isSignedInResult(result$1) && result$1.session) await setTokenAndMaybeWait({
 					shouldStore: false,
-					tokens: result$1.tokens === null ? null : { token: result$1.tokens.token },
+					tokens: result$1.session === null ? null : { token: result$1.session.token },
 					waitForHandshake: true,
 					context: {
 						provider: "totp",
@@ -112,9 +112,9 @@ function createTotpClient(deps) {
 				params,
 				verifier: opts.verifier
 			});
-			if (isSignedInResult(result) && result.tokens) await setTokenAndMaybeWait({
+			if (isSignedInResult(result) && result.session) await setTokenAndMaybeWait({
 				shouldStore: true,
-				tokens: result.tokens ?? null,
+				tokens: result.session ?? null,
 				waitForHandshake: true,
 				context: {
 					provider: "totp",

package/dist/client/index.js

@@ -361,13 +361,13 @@ function client(options) {
 	const verifyCodeAndSetToken = async (args, opts) => {
 		const result = await verifyCode(args);
 		if (result.kind !== "signedIn") throw new Error("Code exchange did not return tokens.");
-		const { tokens } = result;
+		const { session } = result;
 		await setToken({
 			shouldStore: true,
-			tokens: tokens ?? null,
+			tokens: session ?? null,
 			resyncConvexAuth: opts?.resyncConvexAuth
 		});
-		return tokens !== null;
+		return session !== null;
 	};
 	const normalizeDeviceCodeResult = (device_code) => {
 		const input = device_code;
@@ -441,7 +441,7 @@ function client(options) {
 			};
 			if (result.kind === "signedIn") return await setTokenAndMaybeWait(resultOptions.shouldStore ? {
 				shouldStore: true,
-				tokens: result.tokens,
+				tokens: result.session,
 				waitForHandshake: true,
 				context: {
 					provider,
@@ -449,7 +449,7 @@ function client(options) {
 				}
 			} : {
 				shouldStore: false,
-				tokens: result.tokens === null ? null : { token: result.tokens.token },
+				tokens: result.session === null ? null : { token: result.session.token },
 				waitForHandshake: true,
 				context: {
 					provider,
@@ -538,9 +538,9 @@ function client(options) {
 						action: "auth:signIn",
 						args: { refreshToken: true }
 					}), isRetriableProxyRefreshError);
-					if (isSignedInResult(result) && result.tokens) await setToken({
+					if (isSignedInResult(result) && result.session) await setToken({
 						shouldStore: false,
-						tokens: { token: result.tokens.token },
+						tokens: { token: result.session.token },
 						resyncConvexAuth: false
 					});
 					else await setToken({