@robelest/convex-auth 0.0.4-preview.30 → 0.0.4-preview.31

package/dist/client/index.js

@@ -59,12 +59,16 @@ function buildSignInRequestKey(provider, params) {
 		params
 	});
 }
+function formDataEntries(formData) {
+	return formData;
+}
 /**
 * Create a framework-agnostic auth client.
 *
 * Returns an object with `signIn`, `signOut`, `onChange`, `state`, and any
-* factor helpers enabled by your configured providers. Browser-specific
-* passkey support is added by the `@robelest/convex-auth/browser` entrypoint.
+* factor helpers enabled by your configured providers. Platform-specific
+* passkey support is added by higher-level entrypoints such as
+* `@robelest/convex-auth/browser`.
 *
 * ### SPA mode (default)
 *
@@ -124,7 +128,6 @@ function client(options) {
 	}
 	const storage = options.storage !== void 0 ? options.storage : runtime.storage !== void 0 ? runtime.storage : null;
 	const proxyRuntime = proxy ? requireProxyRuntime() : null;
-	const replaceUrl = options.replaceUrl ?? (runtime.location ? (url$1) => runtime.location.replace(url$1) : (_url) => {});
 	function getLocation() {
 		if (typeof options.location === "function") return options.location();
 		if (options.location instanceof URL) return options.location;
@@ -151,16 +154,20 @@ function client(options) {
 	function cleanUrlParams(params) {
 		const loc = getLocation();
 		if (!loc) return;
+		if (!runtime.location) return;
 		const searchParams = new URLSearchParams(loc.search);
 		let changed = false;
 		for (const p of params) if (searchParams.has(p)) {
 			searchParams.delete(p);
 			changed = true;
 		}
-		if (changed) replaceUrl(searchParams.toString() ? `${loc.pathname}?${searchParams}` : loc.pathname);
+		if (changed) {
+			const next = searchParams.toString() ? `${loc.pathname}?${searchParams}` : loc.pathname;
+			runtime.location.replace(next);
+		}
 	}
 	const url = proxy ? void 0 : resolveUrl(convex, options.url);
-	const escapedNamespace = proxy ? proxy.replace(/[^a-zA-Z0-9]/g, "") : url.replace(/[^a-zA-Z0-9]/g, "");
+	const escapedNamespace = (proxy ?? url).replace(/^https?:\/\//, "").replace(/[^a-zA-Z0-9]/g, "_");
 	const key = (name) => `${name}_${escapedNamespace}`;
 	const { get: storageGet, set: storageSet, remove: storageRemove } = createStorageHelpers({
 		storage,
@@ -197,6 +204,7 @@ function client(options) {
 	let authEpoch = 0;
 	let destroyed = false;
 	let activeSignIn = null;
+	let initializePromise = null;
 	const handshakeWaiters = /* @__PURE__ */ new Set();
 	let snapshot = {
 		phase: hasServerToken ? "authenticated" : isLoading ? "loading" : "unauthenticated",
@@ -204,7 +212,6 @@ function client(options) {
 		isAuthenticated: hasServerToken,
 		token
 	};
-	let handlingCodeFlow = false;
 	const settleHandshakeWaiters = (epoch, outcome) => {
 		for (const waiter of Array.from(handshakeWaiters)) {
 			if (waiter.epoch !== epoch) continue;
@@ -404,18 +411,19 @@ function client(options) {
 	* }
 	* ```
 	*
-	* @example OAuth (triggers redirect)
+	* @example OAuth (returns a redirect URL)
 	* ```ts
-	* await auth.signIn('google'); // redirects to Google
+	* const result = await auth.signIn('google');
+	* if (result.kind === 'redirect') {
+	*   window.location.href = result.redirect.toString();
+	* }
 	* ```
 	*/
 	const signIn = async (provider, args) => {
 		await persistInvite();
 		const params = args instanceof FormData ? (() => {
 			const formParams = {};
-			args.forEach((value, key$1) => {
-				formParams[key$1] = typeof value === "string" ? value : value.name;
-			});
+			for (const [key$1, value] of formDataEntries(args)) formParams[key$1] = typeof value === "string" ? value : value.name;
 			return formParams;
 		})() : args ?? {};
 		const flow = typeof params.flow === "string" && params.flow.length > 0 ? params.flow : "signIn";
@@ -424,7 +432,6 @@ function client(options) {
 			if (result.kind === "redirect") {
 				const redirectUrl = new URL(result.redirect);
 				if (resultOptions.persistVerifier) await storageSet(VERIFIER_STORAGE_KEY, result.verifier);
-				if (runtime.location) await runtime.location.redirect(redirectUrl);
 				return {
 					kind: "redirect",
 					redirect: redirectUrl,
@@ -474,15 +481,24 @@ function client(options) {
 				persistVerifier: false
 			});
 			const verifier = await storageGet(VERIFIER_STORAGE_KEY) ?? void 0;
-			await storageRemove(VERIFIER_STORAGE_KEY);
-			return await handleSignInActionResult(await convex.action(requireApiRefs().signIn, {
-				provider,
-				params,
-				verifier
-			}), {
-				shouldStore: true,
-				persistVerifier: true
-			});
+			try {
+				const result = await convex.action(requireApiRefs().signIn, {
+					provider,
+					params,
+					verifier
+				});
+				if (params.code !== void 0) await storageRemove(VERIFIER_STORAGE_KEY);
+				return await handleSignInActionResult(result, {
+					shouldStore: true,
+					persistVerifier: true
+				});
+			} catch (error) {
+				if (params.code !== void 0) {
+					const convexCode = error instanceof ConvexError && typeof error.data?.code === "string" ? error.data.code : null;
+					if (convexCode !== null && ["INVALID_VERIFICATION_CODE", "INVALID_VERIFIER"].includes(convexCode)) await storageRemove(VERIFIER_STORAGE_KEY);
+				}
+				throw error;
+			}
 		})();
 		activeSignIn = {
 			key: signInKey,
@@ -531,7 +547,7 @@ function client(options) {
 		const withMutex = mutex ? (key$1, callback) => mutex.withKey(key$1, callback) : localMutex;
 		if (proxy) {
 			const tokenBeforeRefresh = token;
-			return await withMutex("__convexAuthProxyRefresh", async () => {
+			return await withMutex(`__convexAuthProxyRefresh_${escapedNamespace}`, async () => {
 				if (token !== tokenBeforeRefresh) return token;
 				try {
 					const result = await retryWithJitteredBackoff(() => proxyFetch({
@@ -556,41 +572,98 @@ function client(options) {
 			});
 		}
 		const tokenBeforeLockAcquisition = token;
-		return await withMutex(REFRESH_TOKEN_STORAGE_KEY, async () => {
+		return await withMutex(key(REFRESH_TOKEN_STORAGE_KEY), async () => {
 			const tokenAfterLockAcquisition = token;
 			if (tokenAfterLockAcquisition !== tokenBeforeLockAcquisition) return tokenAfterLockAcquisition;
 			const refreshToken = await storageGet(REFRESH_TOKEN_STORAGE_KEY) ?? null;
 			if (!refreshToken) {
-				finalizeLoadingState();
+				await setToken({
+					shouldStore: true,
+					tokens: null,
+					resyncConvexAuth: false
+				});
 				return null;
 			}
 			await verifyCodeAndSetToken({ refreshToken }, { resyncConvexAuth: false });
 			return token;
 		});
 	};
-	const handleCodeFlow = async () => {
-		if (handlingCodeFlow) return;
-		const location = getLocation();
-		if (!location) return;
-		const code = location.searchParams.get("code");
-		if (!code) return;
-		handlingCodeFlow = true;
+	const resolveOAuthInput = (input) => {
+		if (input instanceof URL) return {
+			code: input.searchParams.get("code"),
+			cleanupUrl: input.searchParams.has("code") ? (() => {
+				const next = new URL(input.toString());
+				next.searchParams.delete("code");
+				return next;
+			})() : null
+		};
+		if (typeof input === "object") return {
+			code: input.code,
+			cleanupUrl: null
+		};
 		try {
-			await signIn(void 0, { code });
-			const codeUrl = new URL(location.toString());
-			codeUrl.searchParams.delete("code");
-			await replaceUrl(codeUrl.pathname + codeUrl.search + codeUrl.hash);
-		} catch {} finally {
-			handlingCodeFlow = false;
+			const url$1 = new URL(input);
+			return {
+				code: url$1.searchParams.get("code"),
+				cleanupUrl: url$1.searchParams.has("code") ? (() => {
+					const next = new URL(url$1.toString());
+					next.searchParams.delete("code");
+					return next;
+				})() : null
+			};
+		} catch {
+			return {
+				code: input,
+				cleanupUrl: null
+			};
 		}
 	};
+	const completeOAuth = async (input) => {
+		const { code, cleanupUrl } = resolveOAuthInput(input);
+		if (!code) return { handled: false };
+		if ((await signIn(void 0, { code })).kind !== "signedIn") throw new Error("OAuth code exchange did not complete sign-in.");
+		return {
+			handled: true,
+			cleanupUrl
+		};
+	};
 	const hydrateFromStorage = async () => {
 		const storedToken = await storageGet(JWT_STORAGE_KEY) ?? null;
 		await setToken({
 			shouldStore: false,
-			tokens: storedToken === null ? null : { token: storedToken }
+			tokens: storedToken === null ? null : { token: storedToken },
+			resyncConvexAuth: storedToken !== null
 		});
 	};
+	const initialize = async () => {
+		if (initializePromise !== null) return await initializePromise;
+		initializePromise = (async () => {
+			if (proxy) {
+				if (!hasServerToken && runtime.environment !== "server") try {
+					await fetchAccessToken({ forceRefreshToken: true });
+				} catch (error) {
+					logMessage("convex-auth/client", LOG_LEVELS.ERROR, ["[convex-auth] Proxy token refresh failed:", error]);
+				}
+				return;
+			}
+			try {
+				await hydrateFromStorage();
+			} catch {
+				try {
+					await setToken({
+						shouldStore: false,
+						tokens: null,
+						resyncConvexAuth: false
+					});
+				} catch {}
+			}
+		})();
+		try {
+			await initializePromise;
+		} finally {
+			initializePromise = Promise.resolve();
+		}
+	};
 	/**
 	* Subscribe to auth state changes. Invokes the callback immediately
 	* with the current state, then again on every state transition.
@@ -619,29 +692,14 @@ function client(options) {
 		});
 	}) ?? null;
 	bindConvexAuth();
-	if (proxy) {
-		if (!hasServerToken && runtime.environment !== "server") fetchAccessToken({ forceRefreshToken: true }).catch((error) => {
-			logMessage("convex-auth/client", LOG_LEVELS.ERROR, ["[convex-auth] Proxy token refresh failed:", error]);
-		});
-	} else (async () => {
-		try {
-			await hydrateFromStorage();
-			await handleCodeFlow();
-		} catch {
-			try {
-				await setToken({
-					shouldStore: false,
-					tokens: null
-				});
-			} catch {}
-		}
-	})().catch((error) => {
-		logMessage("convex-auth/client", LOG_LEVELS.ERROR, ["[convex-auth] SPA initialization failed:", error]);
+	initialize().catch((error) => {
+		logMessage("convex-auth/client", LOG_LEVELS.ERROR, ["[convex-auth] Client initialization failed:", error]);
 	});
 	return {
 		get state() {
 			return snapshot;
 		},
+		initialize,
 		param,
 		get invite() {
 			const pendingInvite = getPendingInvite();
@@ -652,6 +710,7 @@ function client(options) {
 				accept: acceptInvite
 			};
 		},
+		completeOAuth,
 		signIn,
 		signOut,
 		onChange,

package/dist/client/runtime/mutex.js

@@ -7,7 +7,8 @@ async function localMutex(key, callback) {
 	const currentTail = new Promise((resolve) => {
 		releaseCurrent = resolve;
 	});
-	mutexTails[key] = previousTail.then(() => currentTail, () => currentTail);
+	const currentTailPromise = previousTail.then(() => currentTail, () => currentTail);
+	mutexTails[key] = currentTailPromise;
 	try {
 		await previousTail;
 	} catch {}
@@ -15,7 +16,7 @@ async function localMutex(key, callback) {
 		return await callback();
 	} finally {
 		releaseCurrent?.();
-		if (mutexTails[key] === currentTail) delete mutexTails[key];
+		if (mutexTails[key] === currentTailPromise) delete mutexTails[key];
 	}
 }
 

package/dist/component/_generated/component.d.ts

@@ -187,6 +187,23 @@ type ComponentApi<Name extends string | undefined = string | undefined> = {
           transports?: Array<string>;
           userId: string;
         } | null, Name>;
+        passkeyGetById: FunctionReference<"query", "internal", {
+          passkeyId: string;
+        }, {
+          _creationTime: number;
+          _id: string;
+          algorithm: number;
+          backedUp: boolean;
+          counter: number;
+          createdAt: number;
+          credentialId: string;
+          deviceType: string;
+          lastUsedAt?: number;
+          name?: string;
+          publicKey: ArrayBuffer;
+          transports?: Array<string>;
+          userId: string;
+        } | null, Name>;
         passkeyInsert: FunctionReference<"mutation", "internal", {
           algorithm: number;
           backedUp: boolean;
@@ -1788,6 +1805,7 @@ type ComponentApi<Name extends string | undefined = string | undefined> = {
       };
       verifiers: {
         verifierCreate: FunctionReference<"mutation", "internal", {
+          expirationTime?: number;
           sessionId?: string;
           signature?: string;
         }, string, Name>;
@@ -1799,6 +1817,7 @@ type ComponentApi<Name extends string | undefined = string | undefined> = {
         }, {
           _creationTime: number;
           _id: string;
+          expirationTime?: number;
           sessionId?: string;
           signature?: string;
         } | null, Name>;
@@ -1807,6 +1826,7 @@ type ComponentApi<Name extends string | undefined = string | undefined> = {
         }, {
           _creationTime: number;
           _id: string;
+          expirationTime?: number;
           sessionId?: string;
           signature?: string;
         } | null, Name>;
@@ -2159,6 +2179,23 @@ type ComponentApi<Name extends string | undefined = string | undefined> = {
       transports?: Array<string>;
       userId: string;
     } | null, Name>;
+    passkeyGetById: FunctionReference<"query", "internal", {
+      passkeyId: string;
+    }, {
+      _creationTime: number;
+      _id: string;
+      algorithm: number;
+      backedUp: boolean;
+      counter: number;
+      createdAt: number;
+      credentialId: string;
+      deviceType: string;
+      lastUsedAt?: number;
+      name?: string;
+      publicKey: ArrayBuffer;
+      transports?: Array<string>;
+      userId: string;
+    } | null, Name>;
     passkeyInsert: FunctionReference<"mutation", "internal", {
       algorithm: number;
       backedUp: boolean;
@@ -3150,6 +3187,7 @@ type ComponentApi<Name extends string | undefined = string | undefined> = {
       verifier?: string;
     } | null, Name>;
     verifierCreate: FunctionReference<"mutation", "internal", {
+      expirationTime?: number;
       sessionId?: string;
       signature?: string;
     }, string, Name>;
@@ -3161,6 +3199,7 @@ type ComponentApi<Name extends string | undefined = string | undefined> = {
     }, {
       _creationTime: number;
       _id: string;
+      expirationTime?: number;
       sessionId?: string;
       signature?: string;
     } | null, Name>;
@@ -3169,6 +3208,7 @@ type ComponentApi<Name extends string | undefined = string | undefined> = {
     }, {
       _creationTime: number;
       _id: string;
+      expirationTime?: number;
       sessionId?: string;
       signature?: string;
     } | null, Name>;

package/dist/component/convex.config.d.ts

@@ -1,7 +1,7 @@
-import * as convex_server0 from "convex/server";
+import * as convex_server4 from "convex/server";
 
 //#region src/component/convex.config.d.ts
-declare const component: convex_server0.ComponentDefinition<any>;
+declare const component: convex_server4.ComponentDefinition<any>;
 //#endregion
 export { component as default };
 //# sourceMappingURL=convex.config.d.ts.map

package/dist/component/http.js

@@ -0,0 +1,9 @@
+import { httpRouter } from "convex/server";
+
+//#region src/component/http.ts
+const http = httpRouter();
+var http_default = http;
+
+//#endregion
+export { http_default as default };
+//# sourceMappingURL=http.js.map

package/dist/component/index.d.ts

@@ -1,4 +1,4 @@
 import { AuthProviderConfig, ConvexAuthConfig, ConvexCredentialsConfig, CorsConfig, DeviceProviderConfig, EmailConfig, EmailUserConfig, GenericDoc, GroupConnectionPolicy, GroupConnectionPolicyPatch, HttpKeyContext, KeyScope, PhoneConfig, PhoneUserConfig, ScopeChecker } from "../server/types.js";
-import { AuthConfig, AuthContext, AuthContextConfig, InferAuth, OptionalAuthContext, UserDoc } from "../server/auth-context.js";
+import { AuthConfig, AuthContext, AuthContextConfig, InferAuth, OptionalAuthContext, UserDoc } from "../server/facade.js";
 import { HttpAuthContext, HttpAuthContextConfig, OptionalHttpAuthContext } from "../server/http.js";
 import { AuthApi, createAuth } from "../server/auth.js";

package/dist/component/model.d.ts

@@ -1,7 +1,7 @@
-import * as convex_values480 from "convex/values";
+import * as convex_values440 from "convex/values";
 
 //#region src/component/model.d.ts
-declare const vApiKeyDoc: convex_values480.VObject<{
+declare const vApiKeyDoc: convex_values440.VObject<{
   lastUsedAt?: number | undefined;
   expiresAt?: number | undefined;
   rateLimit?: {
@@ -16,7 +16,7 @@ declare const vApiKeyDoc: convex_values480.VObject<{
   _creationTime: number;
   name: string;
   revoked: boolean;
-  userId: convex_values480.GenericId<"User">;
+  userId: convex_values440.GenericId<"User">;
   prefix: string;
   hashedKey: string;
   scopes: {
@@ -24,43 +24,43 @@ declare const vApiKeyDoc: convex_values480.VObject<{
     actions: string[];
   }[];
   createdAt: number;
-  _id: convex_values480.GenericId<"ApiKey">;
+  _id: convex_values440.GenericId<"ApiKey">;
 }, {
-  userId: convex_values480.VId<convex_values480.GenericId<"User">, "required">;
-  prefix: convex_values480.VString<string, "required">;
-  hashedKey: convex_values480.VString<string, "required">;
-  name: convex_values480.VString<string, "required">;
-  scopes: convex_values480.VArray<{
+  userId: convex_values440.VId<convex_values440.GenericId<"User">, "required">;
+  prefix: convex_values440.VString<string, "required">;
+  hashedKey: convex_values440.VString<string, "required">;
+  name: convex_values440.VString<string, "required">;
+  scopes: convex_values440.VArray<{
     resource: string;
     actions: string[];
-  }[], convex_values480.VObject<{
+  }[], convex_values440.VObject<{
     resource: string;
     actions: string[];
   }, {
-    resource: convex_values480.VString<string, "required">;
-    actions: convex_values480.VArray<string[], convex_values480.VString<string, "required">, "required">;
+    resource: convex_values440.VString<string, "required">;
+    actions: convex_values440.VArray<string[], convex_values440.VString<string, "required">, "required">;
   }, "required", "resource" | "actions">, "required">;
-  rateLimit: convex_values480.VObject<{
+  rateLimit: convex_values440.VObject<{
     maxRequests: number;
     windowMs: number;
   } | undefined, {
-    maxRequests: convex_values480.VFloat64<number, "required">;
-    windowMs: convex_values480.VFloat64<number, "required">;
+    maxRequests: convex_values440.VFloat64<number, "required">;
+    windowMs: convex_values440.VFloat64<number, "required">;
   }, "optional", "maxRequests" | "windowMs">;
-  rateLimitState: convex_values480.VObject<{
+  rateLimitState: convex_values440.VObject<{
     attemptsLeft: number;
     lastAttemptTime: number;
   } | undefined, {
-    attemptsLeft: convex_values480.VFloat64<number, "required">;
-    lastAttemptTime: convex_values480.VFloat64<number, "required">;
+    attemptsLeft: convex_values440.VFloat64<number, "required">;
+    lastAttemptTime: convex_values440.VFloat64<number, "required">;
   }, "optional", "attemptsLeft" | "lastAttemptTime">;
-  expiresAt: convex_values480.VFloat64<number | undefined, "optional">;
-  lastUsedAt: convex_values480.VFloat64<number | undefined, "optional">;
-  createdAt: convex_values480.VFloat64<number, "required">;
-  revoked: convex_values480.VBoolean<boolean, "required">;
-  metadata: convex_values480.VAny<any, "optional", string>;
-  _id: convex_values480.VId<convex_values480.GenericId<"ApiKey">, "required">;
-  _creationTime: convex_values480.VFloat64<number, "required">;
+  expiresAt: convex_values440.VFloat64<number | undefined, "optional">;
+  lastUsedAt: convex_values440.VFloat64<number | undefined, "optional">;
+  createdAt: convex_values440.VFloat64<number, "required">;
+  revoked: convex_values440.VBoolean<boolean, "required">;
+  metadata: convex_values440.VAny<any, "optional", string>;
+  _id: convex_values440.VId<convex_values440.GenericId<"ApiKey">, "required">;
+  _creationTime: convex_values440.VFloat64<number, "required">;
 }, "required", "_creationTime" | "name" | "revoked" | "lastUsedAt" | "expiresAt" | "userId" | "prefix" | "hashedKey" | "scopes" | "rateLimit" | "rateLimitState" | "createdAt" | "metadata" | "_id" | "rateLimit.maxRequests" | "rateLimit.windowMs" | "rateLimitState.attemptsLeft" | "rateLimitState.lastAttemptTime" | `metadata.${string}`>;
 //#endregion
 export { vApiKeyDoc };

package/dist/component/model.js

@@ -137,7 +137,8 @@ const vAccountDoc = v.object({
 const vAuthVerifierDoc = v.object({
 	...vDocMeta(TABLES.AuthVerifier),
 	sessionId: v.optional(v.id(TABLES.Session)),
-	signature: v.optional(v.string())
+	signature: v.optional(v.string()),
+	expirationTime: v.optional(v.number())
 });
 const vVerificationCodeDoc = v.object({
 	...vDocMeta(TABLES.VerificationCode),

package/dist/component/modules.js

@@ -6,6 +6,7 @@ const modules = {
 	"./component/_generated/server.ts": () => import("./_generated/server.js"),
 	"./component/convex.config.ts": () => import("./convex.config.js"),
 	"./component/functions.ts": () => import("./functions.js"),
+	"./component/http.ts": () => import("./http.js"),
 	"./component/index.ts": () => import("./index.js"),
 	"./component/model.ts": () => import("./model.js"),
 	"./component/public.ts": () => import("./public.js"),

package/dist/component/public/factors/passkeys.js

@@ -100,6 +100,36 @@ const passkeyGetByCredentialId = query({
 	}
 });
 /**
+* Get a single passkey by its document ID.
+*
+* Performs a direct point lookup on the `Passkey` table. Returns `null`
+* when no passkey exists with the given ID (e.g. it was already deleted).
+* Useful when callers already hold a passkey ID and need to inspect the
+* document — for example to capture the owning `userId` before deletion.
+*
+* @param passkeyId - The `_id` of the `Passkey` document to retrieve.
+* @returns The `Passkey` document, or `null` if no passkey exists with the
+*   given ID.
+*
+* @example
+* ```ts
+* const passkey = await ctx.runQuery(
+*   components.auth.factors.passkeys.passkeyGetById,
+*   { passkeyId },
+* );
+* if (passkey === null) {
+*   throw new Error("Passkey not found");
+* }
+* ```
+*/
+const passkeyGetById = query({
+	args: { passkeyId: v.id("Passkey") },
+	returns: v.union(vPasskeyDoc, v.null()),
+	handler: async (ctx, { passkeyId }) => {
+		return await ctx.db.get("Passkey", passkeyId);
+	}
+});
+/**
 * List all passkeys registered to a user.
 *
 * Retrieves every `Passkey` document associated with the given user via
@@ -234,5 +264,5 @@ const passkeyDelete = mutation({
 });
 
 //#endregion
-export { passkeyDelete, passkeyGetByCredentialId, passkeyInsert, passkeyListByUserId, passkeyUpdateCounter, passkeyUpdateMeta };
+export { passkeyDelete, passkeyGetByCredentialId, passkeyGetById, passkeyInsert, passkeyListByUserId, passkeyUpdateCounter, passkeyUpdateMeta };
 //# sourceMappingURL=passkeys.js.map

package/dist/component/public/identity/codes.js

@@ -56,7 +56,7 @@ const verificationCodeGetByCode = query({
 	args: { code: v.string() },
 	returns: v.union(vVerificationCodeDoc, v.null()),
 	handler: async (ctx, { code }) => {
-		return await ctx.db.query("VerificationCode").withIndex("code", (q) => q.eq("code", code)).unique();
+		return await ctx.db.query("VerificationCode").withIndex("code", (q) => q.eq("code", code)).first();
 	}
 });
 /**

package/dist/component/public/identity/tokens.js

@@ -212,7 +212,8 @@ const refreshTokenExchange = mutation({
 			await Promise.all(tokens.map((token) => ctx.db.delete("RefreshToken", token._id)));
 		};
 		const refreshTokenDoc = await ctx.db.get("RefreshToken", args.refreshTokenId);
-		if (refreshTokenDoc === null || refreshTokenDoc.expirationTime < args.now || refreshTokenDoc.sessionId !== args.sessionId) {
+		if (refreshTokenDoc === null || refreshTokenDoc.sessionId !== args.sessionId) return null;
+		if (refreshTokenDoc.expirationTime < args.now) {
 			await cleanupSessionArtifacts();
 			return null;
 		}

package/dist/component/public/identity/verifiers.js

@@ -3,6 +3,12 @@ import { mutation, query } from "../../functions.js";
 import { v } from "convex/values";
 
 //#region src/component/public/identity/verifiers.ts
+const DEFAULT_VERIFIER_TTL_MS = 1e3 * 60 * 15;
+async function getUnexpiredVerifier(ctx, verifierId) {
+	const verifier = await ctx.db.get("AuthVerifier", verifierId);
+	if (verifier?.expirationTime !== void 0 && verifier.expirationTime < Date.now()) return null;
+	return verifier;
+}
 /**
 * Create a new PKCE verifier, optionally linked to a session.
 *
@@ -26,13 +32,15 @@ import { v } from "convex/values";
 const verifierCreate = mutation({
 	args: {
 		sessionId: v.optional(v.id("Session")),
-		signature: v.optional(v.string())
+		signature: v.optional(v.string()),
+		expirationTime: v.optional(v.number())
 	},
 	returns: v.id("AuthVerifier"),
-	handler: async (ctx, { sessionId, signature }) => {
+	handler: async (ctx, { sessionId, signature, expirationTime }) => {
 		return await ctx.db.insert("AuthVerifier", {
 			sessionId,
-			signature
+			signature,
+			expirationTime: expirationTime ?? Date.now() + DEFAULT_VERIFIER_TTL_MS
 		});
 	}
 });
@@ -60,7 +68,7 @@ const verifierGetById = query({
 	args: { verifierId: v.id("AuthVerifier") },
 	returns: v.union(vAuthVerifierDoc, v.null()),
 	handler: async (ctx, { verifierId }) => {
-		return await ctx.db.get("AuthVerifier", verifierId);
+		return await getUnexpiredVerifier(ctx, verifierId);
 	}
 });
 /**
@@ -89,7 +97,9 @@ const verifierGetBySignature = query({
 	args: { signature: v.string() },
 	returns: v.union(vAuthVerifierDoc, v.null()),
 	handler: async (ctx, { signature }) => {
-		return await ctx.db.query("AuthVerifier").withIndex("signature", (q) => q.eq("signature", signature)).unique();
+		const verifier = await ctx.db.query("AuthVerifier").withIndex("signature", (q) => q.eq("signature", signature)).unique();
+		if (verifier?.expirationTime !== void 0 && verifier.expirationTime < Date.now()) return null;
+		return verifier;
 	}
 });
 /**