@robelest/convex-auth 0.0.4-preview.29 → 0.0.4-preview.31

package/dist/bin.js

@@ -6253,6 +6253,15 @@ gradient.pastel = pastel;
 
 //#endregion
 //#region src/cli/keys.ts
+/**
+* Generate a fresh JWT signing keypair, JWKS payload, and secret-encryption key.
+*
+* Used by the Convex Auth setup wizard to provision required environment
+* variables on a target Convex deployment.
+*
+* @returns Generated `JWT_PRIVATE_KEY`, `JWKS`, and `AUTH_SECRET_ENCRYPTION_KEY` values.
+* @internal
+*/
 async function generateKeys() {
 	try {
 		const keys = await generateKeyPair("EdDSA", {
@@ -6266,7 +6275,7 @@ async function generateKeys() {
 			...publicKey
 		}] });
 		return {
-			JWT_PRIVATE_KEY: `${privateKey.trimEnd().replace(/\n/g, " ")}`,
+			JWT_PRIVATE_KEY: privateKey.trimEnd(),
 			JWKS: jwks,
 			AUTH_SECRET_ENCRYPTION_KEY: randomBytes(32).toString("base64url")
 		};
@@ -6408,6 +6417,11 @@ function printHelp() {
 	printBanner();
 	console.log("  Add code and set environment variables for @robelest/convex-auth.\n");
 	console.log("  Full docs: https://auth.estifanos.com\n");
+	console.log("  Commands:\n");
+	console.log("    setup                         Scaffold files and set env vars");
+	console.log("    doctor                        Verify env, files, and mounted auth endpoints");
+	console.log("    urls                          Print auth endpoint and provider callback URLs");
+	console.log("    keys                          Generate signing/encryption keys\n");
 	console.log("  Options:\n");
 	for (const [name, def] of flagDefs) {
 		const flag = def.type === "boolean" ? `--${name}` : `--${name} <value>`;
@@ -6416,7 +6430,16 @@ function printHelp() {
 	console.log();
 }
 function parseArgs(argv) {
-	const args = argv.slice(2);
+	const rawArgs = argv.slice(2);
+	const knownCommands = new Set([
+		"setup",
+		"doctor",
+		"urls",
+		"keys"
+	]);
+	const firstArg = rawArgs[0];
+	const command = knownCommands.has(firstArg ?? "") ? firstArg : "setup";
+	const args = command === "setup" && !knownCommands.has(firstArg ?? "") ? rawArgs : rawArgs.slice(1);
 	const strings = /* @__PURE__ */ new Map();
 	const booleans = /* @__PURE__ */ new Set();
 	let i = 0;
@@ -6454,6 +6477,7 @@ function parseArgs(argv) {
 		process$1.exit(0);
 	}
 	return {
+		command,
 		siteUrl: strings.get("site-url"),
 		secondaryUrl: strings.get("secondary-url"),
 		variables: strings.get("variables"),
@@ -6505,15 +6529,80 @@ async function runSetup(options) {
 	await modifyTsConfig(config);
 	await configureConvexConfig(config);
 	await initializeAuth(config);
+	await initializeHttp(config);
 	await initializeAuthCore(config);
-	await configureHttp(config);
+	await initializeAuthConfig(config);
 	if (options.variables !== void 0) await configureOtherVariables(config, options.variables);
 	else printFinalSuccessMessage(config);
 	gt("Done! Happy building.");
 }
+async function runDoctor(options) {
+	validateDeploymentSelectionOptions(options);
+	printBanner();
+	mt("Checking Convex Auth setup...");
+	const convexFolderPath = readConvexJson().functions ?? "convex";
+	const configPath = existingNonEmptySourcePath(path.join(convexFolderPath, "convex.config"));
+	const authPath = existingNonEmptySourcePath(path.join(convexFolderPath, "auth"));
+	const authConfigPath = existingNonEmptySourcePath(path.join(convexFolderPath, "auth.config"));
+	if (configPath === null) O.warn("Missing convex.config.ts/js.");
+	else O.success(`Found ${configPath}`);
+	if (authPath === null) O.warn("Missing auth.ts/js.");
+	else O.success(`Found ${authPath}`);
+	if (authConfigPath === null) O.warn("Missing auth.config.ts/js.");
+	else O.success(`Found ${authConfigPath}`);
+	gt("Doctor checks complete.");
+}
+async function runUrls(options) {
+	validateDeploymentSelectionOptions(options);
+	printBanner();
+	const authSiteUrl = `${(readConvexDeployment(options).options.url ?? process$1.env.CONVEX_SITE_URL ?? "https://<deployment>.convex.site").replace(/\/$/, "")}/auth`;
+	O.info("Convex Auth URLs:");
+	O.message([
+		`Issuer: ${authSiteUrl}`,
+		`OpenID configuration: ${authSiteUrl}/.well-known/openid-configuration`,
+		`JWKS: ${authSiteUrl}/.well-known/jwks.json`,
+		`OAuth sign-in base: ${authSiteUrl}/signin/<provider>`,
+		`OAuth callback base: ${authSiteUrl}/callback/<provider>`,
+		`SSO connections base: ${authSiteUrl}/connections/<connectionId>`
+	].join("\n"));
+}
+async function runKeys(options) {
+	validateDeploymentSelectionOptions(options);
+	printBanner();
+	const convexJson = readConvexJson();
+	const deployment = readConvexDeployment(options);
+	await configureKeys({
+		isExpo: false,
+		isNextjs: false,
+		isVite: false,
+		usesTypeScript: true,
+		convexFolderPath: convexJson.functions ?? "convex",
+		deployment,
+		step: 1
+	});
+}
+/**
+* Run the interactive Convex Auth setup wizard.
+*
+* Parses CLI flags, detects the target Convex deployment, configures required
+* environment variables, and scaffolds the expected auth files in the current
+* project.
+*
+* @param argv - Process arguments. Defaults to `process.argv`.
+* @returns A promise that resolves when setup completes successfully.
+*/
 const runCli = async (argv = process$1.argv) => {
-	await runSetup(parseArgs(argv));
+	const options = parseArgs(argv);
+	if (options.command === "setup") await runSetup(options);
+	else if (options.command === "doctor") await runDoctor(options);
+	else if (options.command === "urls") await runUrls(options);
+	else if (options.command === "keys") await runKeys(options);
 };
+/**
+* Run the Convex Auth CLI and exit the process on failure.
+*
+* @param argv - Process arguments. Defaults to `process.argv`.
+*/
 function runCliMain(argv = process$1.argv) {
 	runCli(argv).catch((err) => {
 		console.error(err);
@@ -6789,6 +6878,33 @@ export const { signIn, signOut, store } = auth;
 		O.success(`Created ${newAuthPath}`);
 	}
 }
+async function initializeHttp(config) {
+	logStep(config, "Initialize HTTP auth routes");
+	const sourceTemplate = `\
+import { auth } from "./auth";
+
+export default auth.http();
+`;
+	const source = templateToSource(sourceTemplate);
+	const httpPath = path.join(config.convexFolderPath, "http");
+	const existingPath = existingNonEmptySourcePath(httpPath);
+	if (existingPath !== null) if (doesAlreadyMatchTemplate(readFileSync(existingPath, "utf8"), sourceTemplate)) O.success(`${existingPath} is already set up.`);
+	else {
+		O.info(`You already have ${existingPath}. Make sure it mounts Convex Auth protocol routes:`);
+		O.message(indent(`\n${source}\n`));
+		const ready = await ot({ message: "Ready to continue?" });
+		handleCancel(ready);
+		if (!ready) {
+			pt("Setup cancelled.");
+			process$1.exit(1);
+		}
+	}
+	else {
+		const newPath = config.usesTypeScript ? `${httpPath}.ts` : `${httpPath}.js`;
+		writeFileSync(newPath, source);
+		O.success(`Created ${newPath}`);
+	}
+}
 async function initializeAuthCore(config) {
 	logStep(config, "Initialize auth/core file");
 	const sourceTemplate = `\
@@ -6819,24 +6935,24 @@ export const auth = createAuthContext(components.auth);
 		O.success(`Created ${newPath}`);
 	}
 }
-async function configureHttp(config) {
-	logStep(config, "Configure http file");
+async function initializeAuthConfig(config) {
+	logStep(config, "Initialize auth.config file");
 	const sourceTemplate = `\
-import { httpRouter } from "convex/server";
-import { auth } from "./auth";
-
-const http = httpRouter();
-
-auth.http.add(http);
-
-export default http;
+export default {$$
+  providers: [$$
+    {$$
+      domain: process.env.CONVEX_SITE_URL + "/auth",$$
+      applicationID: "convex",$$
+    },$$
+  ],$$
+};
 `;
 	const source = templateToSource(sourceTemplate);
-	const httpPath = path.join(config.convexFolderPath, "http");
-	const existingHttpPath = existingNonEmptySourcePath(httpPath);
-	if (existingHttpPath !== null) if (doesAlreadyMatchTemplate(readFileSync(existingHttpPath, "utf8"), sourceTemplate)) O.success(`${existingHttpPath} is already set up.`);
+	const authConfigPath = path.join(config.convexFolderPath, "auth.config");
+	const existingPath = existingNonEmptySourcePath(authConfigPath);
+	if (existingPath !== null) if (doesAlreadyMatchTemplate(readFileSync(existingPath, "utf8"), sourceTemplate)) O.success(`${existingPath} is already set up.`);
 	else {
-		O.info(`You already have ${existingHttpPath}. Make sure it includes auth.http.add:`);
+		O.info(`You already have ${existingPath}. Make sure it trusts CONVEX_SITE_URL as the Convex auth issuer:`);
 		O.message(indent(`\n${source}\n`));
 		const ready = await ot({ message: "Ready to continue?" });
 		handleCancel(ready);
@@ -6846,9 +6962,9 @@ export default http;
 		}
 	}
 	else {
-		const newHttpPath = config.usesTypeScript ? `${httpPath}.ts` : `${httpPath}.js`;
-		writeFileSync(newHttpPath, source);
-		O.success(`Created ${newHttpPath}`);
+		const newPath = config.usesTypeScript ? `${authConfigPath}.ts` : `${authConfigPath}.js`;
+		writeFileSync(newPath, source);
+		O.success(`Created ${newPath}`);
 	}
 }
 function validateVariablesConfig(value) {
@@ -6914,9 +7030,11 @@ async function configureOtherVariables(config, json) {
 	}
 	if (variables.success !== void 0) O.success(variables.success);
 }
+/** @internal */
 function doesAlreadyMatchTemplate(existing, template) {
 	return new RegExp(template.replace(/[.*+?^${}()|[\]\\]/g, "\\$&").replace(/\\\$\\\$/g, ".*").replace(/;\n/g, ";.*"), "s").test(existing);
 }
+/** @internal */
 function templateToSource(template) {
 	return template.replace(/\$\$/g, "");
 }
@@ -6988,6 +7106,7 @@ function loadEnvFiles() {
 		override: false
 	});
 }
+/** @internal */
 function readConvexDeployment(options) {
 	const { adminKey, url, prod, previewName, deploymentName } = options;
 	if (url) return {
@@ -7030,6 +7149,7 @@ function readConvexDeployment(options) {
 	}
 	logErrorAndExit("Could not find a configured CONVEX_DEPLOYMENT. Did you forget to run `npx convex dev` first?");
 }
+/** @internal */
 function stripDeploymentTypePrefix(deployment) {
 	const [type, name] = deployment.split(":");
 	if (type !== "prod" && type !== "dev" && type !== "preview" || !name) logErrorAndExit("Invalid CONVEX_DEPLOYMENT.", "Expected a typed deployment like \"dev:my-deployment\", \"prod:my-deployment\", or \"preview:my-deployment\".");
@@ -7044,11 +7164,13 @@ function deploymentNameFromAdminKey(adminKey) {
 	const parts = adminKey.split("|");
 	return parts.length > 1 && !isPreviewDeployKey(adminKey) ? stripDeploymentTypePrefix(parts[0]) : null;
 }
+/** @internal */
 function deploymentTypeFromAdminKey(adminKey) {
 	const type = adminKey.split(":")[0];
 	if (type === "prod" || type === "dev" || type === "preview") return type;
 	logErrorAndExit("Invalid admin key.", "Expected a typed key like \"dev:deployment|...\", \"prod:deployment|...\", or \"preview:...\".");
 }
+/** @internal */
 function isPreviewDeployKey(adminKey) {
 	const parts = adminKey.split("|");
 	if (parts.length === 1) return false;

package/dist/browser/index.d.ts

@@ -1,4 +1,4 @@
-import { AuthApiRefs, BrowserAuthClient, ClientOptions } from "../client/core/types.js";
+import { AuthApiRefs, ClientOptions, PlatformAuthClient } from "../client/core/types.js";
 import "../client/index.js";
 
 //#region src/browser/index.d.ts
@@ -13,18 +13,8 @@ import "../client/index.js";
  * @typeParam Api - Auth API references that control which factor helpers are
  *   available on the returned client.
  * @returns A browser auth client with the configured auth helpers.
- *
- * @example
- * ```ts
- * import { ConvexReactClient } from "convex/react";
- * import { client } from "@robelest/convex-auth/browser";
- * import { api } from "../convex/_generated/api";
- *
- * const convex = new ConvexReactClient(import.meta.env.VITE_CONVEX_URL);
- * const auth = client({ convex, api: api.auth });
- * ```
  */
-declare function client<Api extends AuthApiRefs<boolean, boolean, boolean> = AuthApiRefs>(options: ClientOptions<Api>): BrowserAuthClient<Api>;
+declare function client<Api extends AuthApiRefs<boolean, boolean, boolean> = AuthApiRefs>(options: ClientOptions<Api>): PlatformAuthClient<Api>;
 //#endregion
-export { type AuthApiRefs, type BrowserAuthClient as AuthClient, type ClientOptions, client };
+export { type AuthApiRefs, type PlatformAuthClient as AuthClient, type ClientOptions, client };
 //# sourceMappingURL=index.d.ts.map

package/dist/browser/index.js

@@ -1,3 +1,4 @@
+import { LOG_LEVELS, logMessage } from "../shared/log.js";
 import { ClientAdapterFactoriesLive, ClientAdaptersLive } from "../client/services/adapters.js";
 import { ClientHttpLive } from "../client/services/http.js";
 import { resolveClientServices } from "../client/services/resolve.js";
@@ -13,7 +14,7 @@ import { ConvexHttpClient } from "convex/browser";
 *
 * This entrypoint wraps the framework-agnostic `client(...)`
 * helper with browser defaults such as `ConvexHttpClient`, local storage, URL
-* replacement, and passkey adapters.
+* replacement, OAuth launching, and passkey adapters.
 *
 * @module
 */
@@ -28,16 +29,6 @@ import { ConvexHttpClient } from "convex/browser";
 * @typeParam Api - Auth API references that control which factor helpers are
 *   available on the returned client.
 * @returns A browser auth client with the configured auth helpers.
-*
-* @example
-* ```ts
-* import { ConvexReactClient } from "convex/react";
-* import { client } from "@robelest/convex-auth/browser";
-* import { api } from "../convex/_generated/api";
-*
-* const convex = new ConvexReactClient(import.meta.env.VITE_CONVEX_URL);
-* const auth = client({ convex, api: api.auth });
-* ```
 */
 function client(options) {
 	const url = options.proxyPath === void 0 ? options.url ?? inferConvexUrl(options.convex) : void 0;
@@ -50,7 +41,7 @@ function client(options) {
 		}),
 		http: ClientHttpLive(options.proxyPath !== void 0 ? null : options.httpClient ?? (url ? new ConvexHttpClient(url) : null))
 	});
-	return client$1({
+	const baseClient = client$1({
 		...options,
 		storage: options.storage === void 0 && options.proxyPath !== void 0 ? null : options.storage,
 		runtime: services.runtime,
@@ -58,6 +49,49 @@ function client(options) {
 		adapterFactories: services.adapterFactories,
 		httpClient: services.httpClient
 	});
+	const completeOAuth = async (input) => {
+		const result = await baseClient.completeOAuth(input);
+		if (result.handled && result.cleanupUrl && services.runtime.location) {
+			const current = services.runtime.location.get();
+			const cleanupUrl = result.cleanupUrl;
+			const relativeUrl = current !== null && cleanupUrl.origin === current.origin ? `${cleanupUrl.pathname}${cleanupUrl.search}${cleanupUrl.hash}` : cleanupUrl.toString();
+			await services.runtime.location.replace(relativeUrl);
+		}
+		return result;
+	};
+	const initialize = async () => {
+		await baseClient.initialize();
+		const current = services.runtime.location?.get();
+		if (current?.searchParams.has("code") && current.searchParams.has("state")) await completeOAuth(current);
+	};
+	const signIn = async (provider, ...args) => {
+		const params = args[0];
+		const result = await baseClient.signIn(provider, params);
+		if (result.kind === "redirect") await services.runtime.oauth?.open(result.redirect);
+		return result;
+	};
+	const browserClient = {
+		get state() {
+			return baseClient.state;
+		},
+		initialize,
+		param: baseClient.param,
+		get invite() {
+			return baseClient.invite;
+		},
+		completeOAuth,
+		signIn,
+		signOut: baseClient.signOut,
+		onChange: baseClient.onChange,
+		destroy: baseClient.destroy,
+		..."totp" in baseClient ? { totp: baseClient.totp } : {},
+		..."device" in baseClient ? { device: baseClient.device } : {},
+		..."passkey" in baseClient ? { passkey: baseClient.passkey } : {}
+	};
+	initialize().catch((error) => {
+		logMessage("convex-auth/browser", LOG_LEVELS.ERROR, ["[convex-auth] Browser client initialization failed:", error]);
+	});
+	return browserClient;
 }
 function mergeBrowserRuntime(runtime) {
 	const defaults = createBrowserRuntime();
@@ -68,6 +102,7 @@ function mergeBrowserRuntime(runtime) {
 		proxy: runtime?.proxy ?? defaults.proxy,
 		storage: runtime?.storage === void 0 ? defaults.storage : runtime.storage,
 		location: runtime?.location ?? defaults.location,
+		oauth: runtime?.oauth ?? defaults.oauth,
 		sync: runtime?.sync ?? defaults.sync,
 		mutex: runtime?.mutex ?? defaults.mutex
 	};

package/dist/browser/navigation.js

@@ -4,7 +4,7 @@ const BrowserNavigationLive = {
 	replace: (url) => {
 		if (typeof window !== "undefined") window.history.replaceState({}, "", url);
 	},
-	redirect: (url) => {
+	open: (url) => {
 		if (typeof window !== "undefined") window.location.href = url.toString();
 	}
 };

package/dist/browser/passkey.js

@@ -8,7 +8,7 @@ function createPasskeyClient(deps) {
 		if (result.kind !== "signedIn") return { kind: "started" };
 		return await setTokenAndMaybeWait(proxy ? {
 			shouldStore: false,
-			tokens: result.tokens === null ? null : { token: result.tokens.token },
+			tokens: result.session === null ? null : { token: result.session.token },
 			waitForHandshake: true,
 			context: {
 				provider: "passkey",
@@ -16,7 +16,7 @@ function createPasskeyClient(deps) {
 			}
 		} : {
 			shouldStore: true,
-			tokens: result.tokens,
+			tokens: result.session,
 			waitForHandshake: true,
 			context: {
 				provider: "passkey",
@@ -37,7 +37,7 @@ function createPasskeyClient(deps) {
 		},
 		register: async (opts) => {
 			const phase1Params = {
-				flow: "registerOptions",
+				flow: "register",
 				email: opts?.email,
 				userName: opts?.userName,
 				userDisplayName: opts?.userDisplayName
@@ -79,7 +79,7 @@ function createPasskeyClient(deps) {
 			const response = credential.response;
 			const transports = typeof response.getTransports === "function" ? response.getTransports() : void 0;
 			const phase2Params = {
-				flow: "registerVerify",
+				flow: "verify",
 				clientDataJSON: base64urlEncode(response.clientDataJSON),
 				attestationObject: base64urlEncode(response.attestationObject),
 				transports,
@@ -100,11 +100,11 @@ function createPasskeyClient(deps) {
 				params: phase2Params,
 				verifier: phase1Result.verifier
 			});
-			return handleSignedInResult(phase2Result, "registerVerify");
+			return handleSignedInResult(phase2Result, "verify");
 		},
-		authenticate: async (opts) => {
+		signIn: async (opts) => {
 			const phase1Params = {
-				flow: "authOptions",
+				flow: "signIn",
 				email: opts?.email
 			};
 			let phase1Result;
@@ -139,7 +139,7 @@ function createPasskeyClient(deps) {
 			if (!credential) throw new Error("Passkey authentication was cancelled");
 			const response = credential.response;
 			const phase2Params = {
-				flow: "authVerify",
+				flow: "verify",
 				credentialId: base64urlEncode(credential.rawId),
 				clientDataJSON: base64urlEncode(response.clientDataJSON),
 				authenticatorData: base64urlEncode(response.authenticatorData),
@@ -159,7 +159,7 @@ function createPasskeyClient(deps) {
 				params: phase2Params,
 				verifier: phase1Result.verifier
 			});
-			return handleSignedInResult(phase2Result, "authVerify");
+			return handleSignedInResult(phase2Result, "verify");
 		}
 	};
 }

package/dist/browser/runtime.js

@@ -11,14 +11,10 @@ const browserStorage = {
 		}
 	},
 	async setItem(key, value) {
-		try {
-			localStorage.setItem(key, value);
-		} catch {}
+		localStorage.setItem(key, value);
 	},
 	async removeItem(key) {
-		try {
-			localStorage.removeItem(key);
-		} catch {}
+		localStorage.removeItem(key);
 	}
 };
 /** @internal */
@@ -30,7 +26,8 @@ function base64urlEncode(buffer) {
 }
 /** @internal */
 function base64urlDecode(str) {
-	const padded = str.replace(/-/g, "+").replace(/_/g, "/");
+	const normalized = str.replace(/-/g, "+").replace(/_/g, "/");
+	const padded = normalized + "=".repeat((4 - normalized.length % 4) % 4);
 	const binary = atob(padded);
 	const bytes = new Uint8Array(binary.length);
 	for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
@@ -52,14 +49,15 @@ function createBrowserRuntime() {
 			replace: (url) => {
 				BrowserNavigationLive.replace(url);
 				return Promise.resolve();
-			},
-			redirect: (url) => {
-				BrowserNavigationLive.redirect(url);
-				return Promise.resolve();
 			}
 		},
+		oauth: { open: (url) => {
+			BrowserNavigationLive.open(url);
+			return Promise.resolve();
+		} },
 		mutex: { withKey: (key, callback) => BrowserLocksLive.withKey(key, callback) },
 		proxy: { fetch: async (body, proxyPath) => {
+			if (typeof window === "undefined" || window.location?.origin === void 0) throw new Error("Browser proxy fetch is unavailable outside the browser runtime.");
 			return fetch(new URL(proxyPath, window.location.origin), {
 				method: "POST",
 				headers: { "Content-Type": "application/json" },
@@ -70,18 +68,18 @@ function createBrowserRuntime() {
 		sync: { subscribe: (key, callback) => {
 			if (typeof window === "undefined") return null;
 			const registry = getStorageListenerRegistry();
-			const existingSubscription = registry[key];
-			if (existingSubscription !== void 0) existingSubscription();
+			if (registry[key] === void 0) registry[key] = /* @__PURE__ */ new Set();
 			const controller = new AbortController();
 			window.addEventListener("storage", (event) => {
 				if (event.key !== key) return;
 				callback(event.newValue ?? null);
 			}, { signal: controller.signal });
 			const unsubscribe = () => {
-				if (registry[key] === unsubscribe) delete registry[key];
+				registry[key]?.delete(unsubscribe);
+				if (registry[key]?.size === 0) delete registry[key];
 				controller.abort();
 			};
-			registry[key] = unsubscribe;
+			registry[key].add(unsubscribe);
 			return unsubscribe;
 		} }
 	};